diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-11-04 19:13:03 +0100 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2012-11-04 19:19:32 +0100 |
commit | 630f1cbae8473fb05e5f5af7244eccc60fe93812 (patch) | |
tree | 82eadb7175cc546baf740ef2aec74aafa35965c1 | |
parent | f190a845775381dfa8f583bd587337ae647629e8 (diff) |
Avoid use of "$_SERVER['REQUEST_URI']"
Use the routing library to build proper URIs instead of relying on the
"REQUEST_URI" server variable which can be manipulated and might return
bogus URIs.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r-- | web/html/login.php | 4 | ||||
-rw-r--r-- | web/template/pkg_comment_form.php | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/web/html/login.php b/web/html/login.php index d5bb1e7..9b3715b 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -20,7 +20,7 @@ html_header('AUR ' . __("Login")); <a href="<?php get_uri('/logout/'); ?>">[<?= __("Logout"); ?>]</a> </p> <?php elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])): ?> - <form method="post" action="<?= htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) ?>"> + <form method="post" action="<?= get_uri('/login') ?>"> <fieldset> <legend><?= __('Enter login credentials') ?></legend> <?php if (!empty($login_error)): ?> @@ -47,7 +47,7 @@ html_header('AUR ' . __("Login")); <?php else: ?> <p> <?php printf(__("HTTP login is disabled. Please %sswitch to HTTPs%s if you want to login."), - '<a href="' . $AUR_LOCATION . htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) . '">', '</a>'); ?> + '<a href="' . $AUR_LOCATION . get_uri('/login') . '">', '</a>'); ?> </p> <?php endif; ?> </div> diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index da871ec..8e74fe6 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -1,6 +1,6 @@ <div id="generic-form" class="box"> <h2><?= __("Add Comment"); ?></h2> - <form action="<?= $_SERVER['REQUEST_URI'] ?>" method="post"> + <form action="<?= get_pkg_uri($row['Name']) ?>" method="post"> <fieldset> <?php if (isset($_REQUEST['comment']) && check_token()) { |