diff options
| author | Urban Müller | 2009-09-08 15:06:21 +0000 |
|---|---|---|
| committer | Urban Müller | 2009-09-08 15:06:21 +0000 |
| commit | fdb49bcc7704cbf46014dae6091f61235dab01cb (patch) | |
| tree | 07630068f34a850b54db1046e1e06e3c8c836aa1 /it_html.class | |
| parent | c76b416bb384500b372f1dbc02ccf1c8d9ab1178 (diff) | |
| download | itools-fdb49bcc7704cbf46014dae6091f61235dab01cb.tar.gz itools-fdb49bcc7704cbf46014dae6091f61235dab01cb.tar.bz2 itools-fdb49bcc7704cbf46014dae6091f61235dab01cb.zip | |
guarantee validating urls, fix double encoding of url params in base
Diffstat (limited to 'it_html.class')
| -rw-r--r-- | it_html.class | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/it_html.class b/it_html.class index 536ba05..039f649 100644 --- a/it_html.class +++ b/it_html.class @@ -440,10 +440,17 @@ function u(/* ... */) list($base, $params) = it_html::_parse_args($args); if (!isset($base)) - $base = $_SERVER['PHP_SELF']; + $base = preg_replace('/\?.*/', '', $_SERVER['REQUEST_URI']); - $base = preg_replace('|\0|', '', $base); - $base = preg_replace('|[^\w.+!*(),:?@&=/~$-]|e', 'urlencode(stripslashes("$0"))', $base); # Single quotes are escaped with slash by preg_replace, remove it for urlencode + $base = preg_replace(array('|\0|', '/\\\\/'), array('', '/'), $base); + + # hack: encode % if not followed by two hex digits + $parts = preg_split('/%([^%]{0,2})/', $base, -1, PREG_SPLIT_DELIM_CAPTURE); + for ($i = 1; $i < count($parts); $i+=2) + $parts[$i] = (preg_match('/[0-9a-f][0-9a-f]/i', $parts[$i]) ? "%" : "%25") . $parts[$i]; + $base = join("", $parts); + + $base = preg_replace('|[^-\w.+!*(),:?@&=/~$%]|e', 'urlencode(stripslashes("$0"))', $base); # Single quotes are escaped with slash by preg_replace, remove it for urlencode $base = preg_replace('|^(\w+:)?//[^/]*$|', '$0/', $base); # Add slash if absolute url without a path, e.g. http://gna.ch $queryparams = it_url::params($params); $separator = strpos($base, "?") === false ? "?" : "&"; |