The default form action (request_uri) didn't escape HTML entities (such as &)

2002-05-21 16:00:39 +00:00 · 2002-05-21 16:00:39 +00:00 · 7cd6e0b17d
parent f1f458ddf0
commit 7cd6e0b17d
1 changed files with 1 additions and 1 deletions
--- a/includes/common.inc
+++ b/includes/common.inc
@ -567,7 +567,7 @@ function format_tag($link, $text) {
 }
 function form($form, $method = "post", $action = 0, $options = 0) {
-  return "<form action=\"". ($action ? $action : request_uri()) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
+  return "<form action=\"". ($action ? $action : htmlentities(request_uri())) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
 }
 function form_item($title, $value, $description = 0) {