harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

escape query string

Browse Source 
(cherry picked from commit b3928f3d2a)
This commit is contained in:
Mario Vavti 2018-06-07 22:45:07 +02:00 committed by Mario
parent 38b230a128
commit 19e509d997
5 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Zotlabs/Module/Connections.php
View File

@ -326,7 +326,7 @@ class Connections extends \Zotlabs\Web\Controller {
killme();
}
else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= replace_macros(get_markup_template('connections.tpl'),array(
'$header' => t('Connections') . (($head) ? ': ' . $head : ''),
'$tabs' => $tabs,

2
Zotlabs/Module/Directory.php
View File

@ -395,7 +395,7 @@ class Directory extends \Zotlabs\Web\Controller {
$dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory'));
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
$o .= replace_macros($tpl, array(
'$search' => $search,
'$desc' => t('Find'),

4
Zotlabs/Module/Photos.php
View File

@ -833,7 +833,7 @@ class Photos extends \Zotlabs\Web\Controller {
killme();
}
else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template('photo_album.tpl');
$o .= replace_macros($tpl, array(
'$photos' => $photos,
@ -1372,7 +1372,7 @@ class Photos extends \Zotlabs\Web\Controller {
killme();
}
else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template('photos_recent.tpl');
$o .= replace_macros($tpl, array(
'$title' => t('Recent Photos'),

2
Zotlabs/Module/Viewconnections.php
View File

@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller {
killme();
}
else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template("viewcontact_template.tpl");
$o .= replace_macros($tpl, array(
'$title' => t('View Connections'),

4
boot.php
View File

@ -875,13 +875,13 @@ class App {
set_include_path("include/self::$hostname" . PATH_SEPARATOR . get_include_path());
if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") {
self::$query_string = substr($_SERVER['QUERY_STRING'], 2);
self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2));
// removing trailing / - maybe a nginx problem
if (substr(self::$query_string, 0, 1) == "/")
self::$query_string = substr(self::$query_string, 1);
}
if(x($_GET,'q'))
self::$cmd = trim($_GET['q'],'/\\');
self::$cmd = escape_tags(trim($_GET['q'],'/\\'));
// unix style "homedir"