From d7b29e050f46f016b5460b28895467c063680953 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Tue, 3 Jun 2003 18:05:04 +0000
Subject: [PATCH] - Bugfix: made request_uri() rewrite ( and ) with their
 entity equivalents   to avoid XSS attacks!  Patch by Al, Moshe, Marco,
 Kjartan and me.

---
 includes/common.inc | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/includes/common.inc b/includes/common.inc
index e07b8d2f3b2..18a40be7c5d 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -99,11 +99,28 @@ function request_uri() {
   global $REQUEST_URI, $PATH_INFO, $QUERY_STRING;
 
   if ($REQUEST_URI) {
-    return $REQUEST_URI;
+    $uri = $REQUEST_URI;
   }
   else {
-    return $PATH_INFO ."?". $QUERY_STRING;
+    $uri = $PATH_INFO ."?". $QUERY_STRING;
   }
+
+  /*
+  ** We pipe the request URI through htmlspecialchars() to prevent
+  ** XSS attacks.
+  */
+
+  $uri = htmlspecialchars($uri, ENT_QUOTES);
+
+  /*
+  ** We replace ( and ) with their entity equivalents to prevent XSS
+  ** attacks.
+  */
+
+  $uri = strtr($uri, array("(" => "&040;", ")" => "&041;"));
+
+
+  return $uri;
 }
 
 function message_access() {
@@ -592,7 +609,7 @@ function format_tag($link, $text) {
 }
 
 function form($form, $method = "post", $action = 0, $options = 0) {
-  return "<form action=\"". ($action ? $action : htmlentities(request_uri())) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
+  return "<form action=\"". ($action ? $action : request_uri()) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
 }
 
 function form_item($title, $value, $description = 0) {