summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2012-11-04 19:13:03 +0100
committerLukas Fleischer <archlinux@cryptocrack.de>2012-11-04 19:19:32 +0100
commit630f1cbae8473fb05e5f5af7244eccc60fe93812 (patch)
tree82eadb7175cc546baf740ef2aec74aafa35965c1
parentf190a845775381dfa8f583bd587337ae647629e8 (diff)
Avoid use of "$_SERVER['REQUEST_URI']"
Use the routing library to build proper URIs instead of relying on the "REQUEST_URI" server variable which can be manipulated and might return bogus URIs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
-rw-r--r--web/html/login.php4
-rw-r--r--web/template/pkg_comment_form.php2
2 files changed, 3 insertions, 3 deletions
diff --git a/web/html/login.php b/web/html/login.php
index d5bb1e7..9b3715b 100644
--- a/web/html/login.php
+++ b/web/html/login.php
@@ -20,7 +20,7 @@ html_header('AUR ' . __("Login"));
<a href="<?php get_uri('/logout/'); ?>">[<?= __("Logout"); ?>]</a>
</p>
<?php elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])): ?>
- <form method="post" action="<?= htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) ?>">
+ <form method="post" action="<?= get_uri('/login') ?>">
<fieldset>
<legend><?= __('Enter login credentials') ?></legend>
<?php if (!empty($login_error)): ?>
@@ -47,7 +47,7 @@ html_header('AUR ' . __("Login"));
<?php else: ?>
<p>
<?php printf(__("HTTP login is disabled. Please %sswitch to HTTPs%s if you want to login."),
- '<a href="' . $AUR_LOCATION . htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) . '">', '</a>'); ?>
+ '<a href="' . $AUR_LOCATION . get_uri('/login') . '">', '</a>'); ?>
</p>
<?php endif; ?>
</div>
diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php
index da871ec..8e74fe6 100644
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@@ -1,6 +1,6 @@
<div id="generic-form" class="box">
<h2><?= __("Add Comment"); ?></h2>
- <form action="<?= $_SERVER['REQUEST_URI'] ?>" method="post">
+ <form action="<?= get_pkg_uri($row['Name']) ?>" method="post">
<fieldset>
<?php
if (isset($_REQUEST['comment']) && check_token()) {