1 files changed, 40 insertions, 13 deletions
diff --git a/phpBB/phpbb/controller/helper.php b/phpBB/phpbb/controller/helper.php
index fc19b855c0..c6c470e91b 100644
--- a/phpBB/phpbb/controller/helper.php
+++ b/phpBB/phpbb/controller/helper.php
@@ -44,6 +44,9 @@ class helper
 	/* @var \phpbb\symfony_request */
 	protected $symfony_request;
 
+	/* @var \phpbb\request\request_interface */
+	protected $request;
+
 	/**
 	* @var \phpbb\filesystem The filesystem object
 	*/
@@ -70,16 +73,18 @@ class helper
 	* @param \phpbb\controller\provider $provider Path provider
 	* @param \phpbb\extension\manager $manager Extension manager object
 	* @param \phpbb\symfony_request $symfony_request Symfony Request object
+	* @param \phpbb\request\request_interface $request phpBB request object
 	* @param \phpbb\filesystem $filesystem The filesystem object
 	* @param string $phpbb_root_path phpBB root path
 	* @param string $php_ext PHP file extension
 	*/
-	public function __construct(\phpbb\template\template $template, \phpbb\user $user, \phpbb\config\config $config, \phpbb\controller\provider $provider, \phpbb\extension\manager $manager, \phpbb\symfony_request $symfony_request, \phpbb\filesystem $filesystem, $phpbb_root_path, $php_ext)
+	public function __construct(\phpbb\template\template $template, \phpbb\user $user, \phpbb\config\config $config, \phpbb\controller\provider $provider, \phpbb\extension\manager $manager, \phpbb\symfony_request $symfony_request, \phpbb\request\request_interface $request, \phpbb\filesystem $filesystem, $phpbb_root_path, $php_ext)
 	{
 		$this->template = $template;
 		$this->user = $user;
 		$this->config = $config;
 		$this->symfony_request = $symfony_request;
+		$this->request = $request;
 		$this->filesystem = $filesystem;
 		$this->phpbb_root_path = $phpbb_root_path;
 		$this->php_ext = $php_ext;
@@ -140,17 +145,20 @@ class helper
 		// If enable_mod_rewrite is false we need to replace the current front-end by app.php, otherwise we need to remove it.
 		$base_url = str_replace('/' . $page_name, empty($this->config['enable_mod_rewrite']) ? '/app.' . $this->php_ext : '', $base_url);
 
-		// We need to update the base url to move to the directory of the app.php file
-		if (empty($this->config['enable_mod_rewrite']))
-		{
-			$base_url = str_replace('/app.' . $this->php_ext, '/' . $this->phpbb_root_path . 'app.' . $this->php_ext, $base_url);
-		}
-		else
+		// We need to update the base url to move to the directory of the app.php file if the current script is not app.php
+		if ($page_name !== 'app.php')
 		{
-			$base_url .= preg_replace(get_preg_expression('path_remove_dot_trailing_slash'), '$2', $this->phpbb_root_path);
+			if (empty($this->config['enable_mod_rewrite']))
+			{
+				$base_url = str_replace('/app.' . $this->php_ext, '/' . $this->phpbb_root_path . 'app.' . $this->php_ext, $base_url);
+			}
+			else
+			{
+				$base_url .= preg_replace(get_preg_expression('path_remove_dot_trailing_slash'), '$2', $this->phpbb_root_path);
+			}
 		}
 
-		$base_url = $this->filesystem->clean_path($base_url);
+		$base_url = $this->request->escape($this->filesystem->clean_path($base_url), true);
 
 		$context->setBaseUrl($base_url);
 
@@ -176,15 +184,34 @@ class helper
 	* @param string $message The error message
 	* @param int $code The error code (e.g. 404, 500, 503, etc.)
 	* @return Response A Response instance
+	*
+	* @deprecated 3.1.3 (To be removed: 3.3.0) Use exceptions instead.
 	*/
 	public function error($message, $code = 500)
 	{
+		return $this->message($message, array(), 'INFORMATION', $code);
+	}
+
+	/**
+	 * Output a message
+	 *
+	 * In case of an error, please throw an exception instead
+	 *
+	 * @param string $message The message to display (must be a language variable)
+	 * @param array $parameters The parameters to use with the language var
+	 * @param string $title Title for the message (must be a language variable)
+	 * @param int $code The HTTP status code (e.g. 404, 500, 503, etc.)
+	 * @return Response A Response instance
+	 */
+	public function message($message, array $parameters = array(), $title = 'INFORMATION', $code = 200)
+	{
+		array_unshift($parameters, $message);
 		$this->template->assign_vars(array(
-			'MESSAGE_TEXT'	=> $message,
-			'MESSAGE_TITLE'	=> $this->user->lang('INFORMATION'),
+			'MESSAGE_TEXT'	=> call_user_func_array(array($this->user, 'lang'), $parameters),
+			'MESSAGE_TITLE'	=> $this->user->lang($title),
 		));
 
-		return $this->render('message_body.html', $this->user->lang('INFORMATION'), $code);
+		return $this->render('message_body.html', $this->user->lang($title), $code);
 	}
 
 	/**
@@ -194,6 +221,6 @@ class helper
 	*/
 	public function get_current_url()
 	{
-		return generate_board_url(true) . $this->symfony_request->getRequestUri();
+		return generate_board_url(true) . $this->request->escape($this->symfony_request->getRequestUri(), true);
 	}
 }