6 files changed, 59 insertions, 24 deletions
diff --git a/phpBB/phpbb/controller/helper.php b/phpBB/phpbb/controller/helper.php
index 187e455d48..52e6947c2c 100644
--- a/phpBB/phpbb/controller/helper.php
+++ b/phpBB/phpbb/controller/helper.php
@@ -44,6 +44,9 @@ class helper
 	/* @var \phpbb\symfony_request */
 	protected $symfony_request;
 
+	/* @var \phpbb\request\request_interface */
+	protected $request;
+
 	/**
 	* @var \phpbb\filesystem The filesystem object
 	*/
@@ -70,16 +73,18 @@ class helper
 	* @param \phpbb\controller\provider $provider Path provider
 	* @param \phpbb\extension\manager $manager Extension manager object
 	* @param \phpbb\symfony_request $symfony_request Symfony Request object
+	* @param \phpbb\request\request_interface $request phpBB request object
 	* @param \phpbb\filesystem $filesystem The filesystem object
 	* @param string $phpbb_root_path phpBB root path
 	* @param string $php_ext PHP file extension
 	*/
-	public function __construct(\phpbb\template\template $template, \phpbb\user $user, \phpbb\config\config $config, \phpbb\controller\provider $provider, \phpbb\extension\manager $manager, \phpbb\symfony_request $symfony_request, \phpbb\filesystem $filesystem, $phpbb_root_path, $php_ext)
+	public function __construct(\phpbb\template\template $template, \phpbb\user $user, \phpbb\config\config $config, \phpbb\controller\provider $provider, \phpbb\extension\manager $manager, \phpbb\symfony_request $symfony_request, \phpbb\request\request_interface $request, \phpbb\filesystem $filesystem, $phpbb_root_path, $php_ext)
 	{
 		$this->template = $template;
 		$this->user = $user;
 		$this->config = $config;
 		$this->symfony_request = $symfony_request;
+		$this->request = $request;
 		$this->filesystem = $filesystem;
 		$this->phpbb_root_path = $phpbb_root_path;
 		$this->php_ext = $php_ext;
@@ -153,7 +158,7 @@ class helper
 			}
 		}
 
-		$base_url = $this->filesystem->clean_path($base_url);
+		$base_url = $this->request->escape($this->filesystem->clean_path($base_url), true);
 
 		$context->setBaseUrl($base_url);
 
@@ -197,6 +202,6 @@ class helper
 	*/
 	public function get_current_url()
 	{
-		return generate_board_url(true) . $this->symfony_request->getRequestUri();
+		return generate_board_url(true) . $this->request->escape($this->symfony_request->getRequestUri(), true);
 	}
 }
diff --git a/phpBB/phpbb/path_helper.php b/phpBB/phpbb/path_helper.php
index 936564d8b6..4a446a5d9d 100644
--- a/phpBB/phpbb/path_helper.php
+++ b/phpBB/phpbb/path_helper.php
@@ -154,6 +154,7 @@ class path_helper
 			return $this->web_root_path;
 		}
 
+		// We do not need to escape $path_info, $request_uri and $script_name because we can not find their content in the result.
 		// Path info (e.g. /foo/bar)
 		$path_info = $this->filesystem->clean_path($this->symfony_request->getPathInfo());
 
@@ -203,9 +204,12 @@ class path_helper
 		*/
 		if ($this->request->is_ajax() && $this->symfony_request->get('_referer'))
 		{
+			// We need to escape $absolute_board_url because it can be partially concatenated to the result.
+			$absolute_board_url = $this->request->escape($this->symfony_request->getSchemeAndHttpHost() . $this->symfony_request->getBasePath(), true);
+
 			$referer_web_root_path = $this->get_web_root_path_from_ajax_referer(
 				$this->symfony_request->get('_referer'),
-				$this->symfony_request->getSchemeAndHttpHost() . $this->symfony_request->getBasePath()
+				$absolute_board_url
 			);
 			return $this->web_root_path = $this->phpbb_root_path . $referer_web_root_path;
 		}
diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php
index ea9854894c..f0f2f7e2a2 100644
--- a/phpBB/phpbb/request/request.php
+++ b/phpBB/phpbb/request/request.php
@@ -416,4 +416,27 @@ class request implements \phpbb\request\request_interface
 	{
 		return $this->input[$super_global];
 	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function escape($var, $multibyte)
+	{
+		if (is_array($var))
+		{
+			$result = array();
+			foreach ($var as $key => $value)
+			{
+				$this->type_cast_helper->set_var($key, $key, gettype($key), $multibyte);
+				$result[$key] = $this->escape($value, $multibyte);
+			}
+			$var = $result;
+		}
+		else
+		{
+			$this->type_cast_helper->set_var($var, $var, 'string', $multibyte);
+		}
+
+		return $var;
+	}
 }
diff --git a/phpBB/phpbb/request/request_interface.php b/phpBB/phpbb/request/request_interface.php
index 3236f73990..47b3b3a4ed 100644
--- a/phpBB/phpbb/request/request_interface.php
+++ b/phpBB/phpbb/request/request_interface.php
@@ -142,4 +142,14 @@ interface request_interface
 	* @return	array	The original array of the requested super global.
 	*/
 	public function get_super_global($super_global = \phpbb\request\request_interface::REQUEST);
+
+	/**
+	 * Escape a string variable.
+	 *
+	 * @param mixed	$value		The contents to fill with
+	 * @param bool	$multibyte	Indicates whether string values may contain UTF-8 characters.
+	 * 							Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks.
+	 * @return string|array
+	 */
+	public function escape($value, $multibyte);
 }
diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php
index 14b4c63207..dc90d942c3 100644
--- a/phpBB/phpbb/session.php
+++ b/phpBB/phpbb/session.php
@@ -31,10 +31,11 @@ class session
 	var $update_session_page = true;
 
 	/**
-	* Extract current session page
-	*
-	* @param string $root_path current root path (phpbb_root_path)
-	*/
+	 * Extract current session page
+	 *
+	 * @param string $root_path current root path (phpbb_root_path)
+	 * @return array
+	 */
 	static function extract_current_page($root_path)
 	{
 		global $request, $symfony_request, $phpbb_filesystem;
@@ -42,8 +43,8 @@ class session
 		$page_array = array();
 
 		// First of all, get the request uri...
-		$script_name = $symfony_request->getScriptName();
-		$args = explode('&', $symfony_request->getQueryString());
+		$script_name = $request->escape($symfony_request->getScriptName(), true);
+		$args = $request->escape(explode('&', $symfony_request->getQueryString()), true);
 
 		// If we are unable to get the script name we use REQUEST_URI as a failover and note it within the page array for easier support...
 		if (!$script_name)
@@ -61,8 +62,8 @@ class session
 
 		// Since some browser do not encode correctly we need to do this with some "special" characters...
 		// " -> %22, ' => %27, < -> %3C, > -> %3E
-		$find = array('"', "'", '<', '>');
-		$replace = array('%22', '%27', '%3C', '%3E');
+		$find = array('"', "'", '<', '>', '&quot;', '&lt;', '&gt;');
+		$replace = array('%22', '%27', '%3C', '%3E', '%22', '%3C', '%3E');
 
 		foreach ($args as $key => $argument)
 		{
diff --git a/phpBB/phpbb/symfony_request.php b/phpBB/phpbb/symfony_request.php
index ad949a35f2..2931cae3cc 100644
--- a/phpBB/phpbb/symfony_request.php
+++ b/phpBB/phpbb/symfony_request.php
@@ -15,6 +15,10 @@ namespace phpbb;
 
 use Symfony\Component\HttpFoundation\Request;
 
+/**
+ * WARNING: The Symfony request does not escape the input and should be used very carefully
+ * prefer the phpbb request as possible
+ */
 class symfony_request extends Request
 {
 	/**
@@ -24,24 +28,12 @@ class symfony_request extends Request
 	*/
 	public function __construct(\phpbb\request\request_interface $phpbb_request)
 	{
-		// This function is meant to sanitize the global input arrays
-		$sanitizer = function(&$value, $key) {
-			$type_cast_helper = new \phpbb\request\type_cast_helper();
-			$type_cast_helper->set_var($value, $value, gettype($value), true);
-		};
-
 		$get_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::GET);
 		$post_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::POST);
 		$server_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::SERVER);
 		$files_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::FILES);
 		$cookie_parameters = $phpbb_request->get_super_global(\phpbb\request\request_interface::COOKIE);
 
-		array_walk_recursive($get_parameters, $sanitizer);
-		array_walk_recursive($post_parameters, $sanitizer);
-		array_walk_recursive($server_parameters, $sanitizer);
-		array_walk_recursive($files_parameters, $sanitizer);
-		array_walk_recursive($cookie_parameters, $sanitizer);
-
 		parent::__construct($get_parameters, $post_parameters, array(), $cookie_parameters, $files_parameters, $server_parameters);
 	}
 }