fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-28 06:42:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

fixed XSS security in integration search

Browse source 
git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@9839 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
devjin 2011-11-17 08:32:55 +00:00
parent 75d660bf1a
commit 0dbd9091b0
6 changed files with 36 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

15
classes/context/Context.class.php
View file

@ -789,7 +789,7 @@ class Context {
* @brief make URL with args_list upon request URL
* @return result URL
**/
function getUrl($num_args=0, $args_list=array(), $domain = null, $encode = true, $auto = false) {
function getUrl($num_args=0, $args_list=array(), $domain = null, $encode = true, $autoEncode = false) {
static $site_module_info = null;
static $current_info = null;
@ -936,21 +936,22 @@ class Context {
}
if ($encode){
if($auto){
if($autoEncode){
$parsedUrl = parse_url($query);
parse_str($parsedUrl['query'], $output);
$encode_queries = array();
foreach($output as $key=>$value){
if (!preg_match('/&([a-z]{2,}|#\d+);/', $value)){
$value = htmlspecialchars($value);
if (preg_match('/&([a-z]{2,}|#\d+);/', urldecode($value))){
$value = urlencode(htmlspecialchars_decode(urldecode($value)));
}
$encode_queries[] = $key.'='.$value;
}
$encode_query = implode('&', $encode_queries);
return $parsedUrl['path'].'?'.$encode_query;
$encode_query = implode('&', $encode_queries);
return htmlspecialchars($parsedUrl['path'].'?'.$encode_query);
}
else
else{
return htmlspecialchars($query);
}
}else{
return $query;
}