harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

escape query string

Browse Source
This commit is contained in:
Mario Vavti 2018-06-07 22:45:07 +02:00
parent d3bc50e18d
commit b3928f3d2a
5 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Zotlabs/Module/Connections.php
View File

@ -326,7 +326,7 @@ class Connections extends \Zotlabs\Web\Controller {
killme(); killme();
} }
else { else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$o .= replace_macros(get_markup_template('connections.tpl'),array( $o .= replace_macros(get_markup_template('connections.tpl'),array(
'$header' => t('Connections') . (($head) ? ': ' . $head : ''), '$header' => t('Connections') . (($head) ? ': ' . $head : ''),
'$tabs' => $tabs, '$tabs' => $tabs,

2
Zotlabs/Module/Directory.php
View File

@ -395,7 +395,7 @@ class Directory extends \Zotlabs\Web\Controller {
$dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory')); $dirtitle = (($globaldir) ? t('Global Directory') : t('Local Directory'));
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>"; $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; divmore_height = " . intval($maxheight) . "; </script>";
$o .= replace_macros($tpl, array( $o .= replace_macros($tpl, array(
'$search' => $search, '$search' => $search,
'$desc' => t('Find'), '$desc' => t('Find'),

4
Zotlabs/Module/Photos.php
View File

@ -838,7 +838,7 @@ class Photos extends \Zotlabs\Web\Controller {
killme(); killme();
} }
else { else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template('photo_album.tpl'); $tpl = get_markup_template('photo_album.tpl');
$o .= replace_macros($tpl, array( $o .= replace_macros($tpl, array(
'$photos' => $photos, '$photos' => $photos,
@ -1377,7 +1377,7 @@ class Photos extends \Zotlabs\Web\Controller {
killme(); killme();
} }
else { else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template('photos_recent.tpl'); $tpl = get_markup_template('photos_recent.tpl');
$o .= replace_macros($tpl, array( $o .= replace_macros($tpl, array(
'$title' => t('Recent Photos'), '$title' => t('Recent Photos'),

2
Zotlabs/Module/Viewconnections.php
View File

@ -107,7 +107,7 @@ class Viewconnections extends \Zotlabs\Web\Controller {
killme(); killme();
} }
else { else {
$o .= "<script> var page_query = '" . $_GET['q'] . "'; var extra_args = '" . extra_query_args() . "' ; </script>"; $o .= "<script> var page_query = '" . escape_tags($_GET['q']) . "'; var extra_args = '" . extra_query_args() . "' ; </script>";
$tpl = get_markup_template("viewcontact_template.tpl"); $tpl = get_markup_template("viewcontact_template.tpl");
$o .= replace_macros($tpl, array( $o .= replace_macros($tpl, array(
'$title' => t('View Connections'), '$title' => t('View Connections'),

4
boot.php
View File

@ -876,13 +876,13 @@ class App {
set_include_path("include/self::$hostname" . PATH_SEPARATOR . get_include_path()); set_include_path("include/self::$hostname" . PATH_SEPARATOR . get_include_path());
if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") { if((x($_SERVER,'QUERY_STRING')) && substr($_SERVER['QUERY_STRING'], 0, 2) === "q=") {
self::$query_string = substr($_SERVER['QUERY_STRING'], 2); self::$query_string = escape_tags(substr($_SERVER['QUERY_STRING'], 2));
// removing trailing / - maybe a nginx problem // removing trailing / - maybe a nginx problem
if (substr(self::$query_string, 0, 1) == "/") if (substr(self::$query_string, 0, 1) == "/")
self::$query_string = substr(self::$query_string, 1); self::$query_string = substr(self::$query_string, 1);
} }
if(x($_GET,'q')) if(x($_GET,'q'))
self::$cmd = trim($_GET['q'],'/\\'); self::$cmd = escape_tags(trim($_GET['q'],'/\\'));
// unix style "homedir" // unix style "homedir"