Merge remote-tracking branch 'github-nicofuma/ticket/13280' into develop-ascraeus

* github-nicofuma/ticket/13280: [ticket/13280] Output escaping for the symfony request object [ticket/13280] Add new tests [ticket/13280] Make the tests failing [ticket/13280] Revert "Merge pull request #3107 from marc1706/ticket/13280"
author: Nils Adermann <naderman@naderman.de> 2014-11-16 16:50:15 +0100
committer: Nils Adermann <naderman@naderman.de> 2014-11-16 16:50:15 +0100
commit: 4ffdb129388d72cdcc790f1c3713e3770d8aeca9 (patch)
tree: 21782b0a29593cc789b8e206eb0624aaf3febdd0 /phpBB/phpbb/session.php
parent: e27b69f42a4d23ceb2f19050366a3f7d91887c69 (diff)
parent: 0dfe1d0d8b007ec7b7cae0715cfb2e5f4e33bad4 (diff)
download: forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar
forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.gz
forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.bz2
forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.xz
forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.zip
1 files changed, 7 insertions, 6 deletions
diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index a06ff9c594..dc90d942c3 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -31,10 +31,11 @@ class session
 	var $update_session_page = true;
 
 	/**
-	* Extract current session page
-	*
-	* @param string $root_path current root path (phpbb_root_path)
-	*/
+	 * Extract current session page
+	 *
+	 * @param string $root_path current root path (phpbb_root_path)
+	 * @return array
+	 */
 	static function extract_current_page($root_path)
 	{
 		global $request, $symfony_request, $phpbb_filesystem;
@@ -42,8 +43,8 @@ class session
 		$page_array = array();
 
 		// First of all, get the request uri...
-		$script_name = $symfony_request->getScriptName();
-		$args = explode('&amp;', $symfony_request->getQueryString());
+		$script_name = $request->escape($symfony_request->getScriptName(), true);
+		$args = $request->escape(explode('&', $symfony_request->getQueryString()), true);
 
 		// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
 		if (!$script_name)
author	Nils Adermann <naderman@naderman.de>	2014-11-16 16:50:15 +0100
committer	Nils Adermann <naderman@naderman.de>	2014-11-16 16:50:15 +0100
commit	4ffdb129388d72cdcc790f1c3713e3770d8aeca9 (patch)
tree	21782b0a29593cc789b8e206eb0624aaf3febdd0 /phpBB/phpbb/session.php
parent	e27b69f42a4d23ceb2f19050366a3f7d91887c69 (diff)
parent	0dfe1d0d8b007ec7b7cae0715cfb2e5f4e33bad4 (diff)
download	forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.gz forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.bz2 forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.tar.xz forums-4ffdb129388d72cdcc790f1c3713e3770d8aeca9.zip