From d3fba73ae6ab78df4da2ae18d7d9bb72b3021b68 Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Mon, 16 Feb 2015 17:42:59 +0900
Subject: [PATCH] =?UTF-8?q?fix=20#1262=20-=20parameter=20key=EB=A5=BC=20?=
 =?UTF-8?q?=ED=86=B5=ED=95=9C=20XSS=20=EB=B0=A9=EC=A7=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 classes/context/Context.class.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/classes/context/Context.class.php b/classes/context/Context.class.php
index 1ed44854d..2f8ca22e6 100644
--- a/classes/context/Context.class.php
+++ b/classes/context/Context.class.php
@@ -367,6 +367,8 @@ class Context
 		$this->allow_rewrite = ($this->db_info->use_rewrite == 'Y' ? TRUE : FALSE);
 
 		// set locations for javascript use
+		$url = array();
+		$current_url = self::getRequestUri();
 		if($_SERVER['REQUEST_METHOD'] == 'GET')
 		{
 			if($this->get_vars)
@@ -386,17 +388,21 @@ class Context
 						$url[] = $key . '=' . urlencode($val);
 					}
 				}
-				$this->set('current_url', self::getRequestUri() . '?' . join('&', $url));
+
+				$current_url = self::getRequestUri();
+				if($url) $current_url .= '?' . join('&', $url);
 			}
 			else
 			{
-				$this->set('current_url', $this->getUrl());
+				$current_url = $this->getUrl();
 			}
 		}
 		else
 		{
-			$this->set('current_url', self::getRequestUri());
+			$current_url = self::getRequestUri();
 		}
+
+		$this->set('current_url', $current_url);
 		$this->set('request_uri', self::getRequestUri());
 	}
 
@@ -1157,6 +1163,7 @@ class Context
 			{
 				continue;
 			}
+			$key = htmlentities($key);
 			$val = $this->_filterRequestVar($key, $val);
 
 			if($requestMethod == 'GET' && isset($_GET[$key]))