Author: Ilija Tovilo (iluuu1994) Committer: Derick Rethans (derickr) Date: 2026-06-23T16:07:42+01:00
Commit: https://github.com/php/web-master/commit/62ffa6fa3e8d8c5fc8d7d0969dc24f0687fea4f6 Raw diff: https://github.com/php/web-master/commit/62ffa6fa3e8d8c5fc8d7d0969dc24f0687fea4f6.diff Fix PHP_SELF escaping Warning: Completely untested. Changed paths: M include/functions.inc M public/forgot.php Diff: diff --git a/include/functions.inc b/include/functions.inc index dfb3acb..c356e25 100644 --- a/include/functions.inc +++ b/include/functions.inc @@ -124,7 +124,7 @@ function show_prev_next($begin, $rows, $skip, $total, $extra = [], $table = true <?php if ($begin > 0) { printf("<a href=\"%s?%s\">« Previous %d", - $_SERVER['PHP_SELF'], + hsc($_SERVER['PHP_SELF']), array_to_url($extra, ["begin" => max(0,$begin-$skip)]), min($skip,$begin)); } @@ -143,7 +143,7 @@ function show_prev_next($begin, $rows, $skip, $total, $extra = [], $table = true <?php if ($begin+$rows < $total) { printf("<a href=\"%s?%s\">Next %d »", - $_SERVER['PHP_SELF'], + hsc($_SERVER['PHP_SELF']), array_to_url($extra, ["begin" => $begin+$skip]), min($skip,$total-($begin+$skip))); } diff --git a/public/forgot.php b/public/forgot.php index 3abba44..bca7388 100644 --- a/public/forgot.php +++ b/public/forgot.php @@ -94,7 +94,7 @@ function random_password() { ?> <p>Forgot your <acronym title="Version Control System">VCS</acronym> password, huh? Just fill in your VCS username, and instructions will be sent to you on how to change your password.</p> -<form method="post" action="<?= $_SERVER['PHP_SELF'] ?>"> +<form method="post" action="<?= hsc($_SERVER['PHP_SELF']) ?>"> <label for="user">username:</label> <input type="text" id="user" name="user" value="<?php echo hsc($user)?>" /> <input type="submit" value="send help" />
