guarantee validating urls, fix double encoding of url params in base

2 files changed, 20 insertions, 3 deletions

diff --git a/it_html.class b/it_html.class
index 536ba05..039f649 100644
--- a/it_html.class
+++ b/it_html.class
@@ -440,10 +440,17 @@ function u(/* ... */)
 	list($base, $params) = it_html::_parse_args($args);
 
 	if (!isset($base))
-		$base = $_SERVER['PHP_SELF'];
+		$base = preg_replace('/\?.*/', '', $_SERVER['REQUEST_URI']);
 
-	$base = preg_replace('|\0|', '', $base);
-	$base = preg_replace('|[^\w.+!*(),:?@&=/~$-]|e', 'urlencode(stripslashes("$0"))', $base);	# Single quotes are escaped with slash by preg_replace, remove it for urlencode
+	$base = preg_replace(array('|\0|', '/\\\\/'), array('', '/'), $base);
+
+	# hack: encode % if not followed by two hex digits
+	$parts = preg_split('/%([^%]{0,2})/', $base, -1, PREG_SPLIT_DELIM_CAPTURE);
+	for ($i = 1; $i < count($parts); $i+=2)
+		$parts[$i] = (preg_match('/[0-9a-f][0-9a-f]/i', $parts[$i]) ? "%" : "%25") . $parts[$i];
+	$base = join("", $parts);
+
+	$base = preg_replace('|[^-\w.+!*(),:?@&=/~$%]|e', 'urlencode(stripslashes("$0"))', $base);	# Single quotes are escaped with slash by preg_replace, remove it for urlencode
 	$base = preg_replace('|^(\w+:)?//[^/]*$|', '$0/', $base);	# Add slash if absolute url without a path, e.g. http://gna.ch
 	$queryparams = it_url::params($params);
 	$separator = strpos($base, "?") === false ? "?" : "&";
diff --git a/tests/it_html.t b/tests/it_html.t
index 592fffe..9c05341 100755
--- a/tests/it_html.t
+++ b/tests/it_html.t
@@ -131,5 +131,15 @@ is(
 	'U() with single quotes in URL',
 );
 
+is(
+	U('%% %1%x %1x%x1%xx%11%ff%FF'),
+	'%25%25+%251%25x+%251x%25x1%25xx%11%ff%FF',
+	'quoting of % if not followed by 2 hex digits'
+);
 
+is(
+	U('a\\b'),
+	'a/b',
+	'converting of \ to /'
+);
 ?>