19 Jun
2015
19 Jun
'15
1:50 p.m.
* Lukas Fleischer <lfleischer@archlinux.org> (Fri, 19 Jun 2015 15:04:14 +0200):
+ <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER'].
With due respect, I think you're wrong here: he is not writing a URL parameter, but an HTML attribute. The URL-encoding has already been taken into account by the browser at this point. Please test it with a tag you create with a UTF-8 character in it, click on it to open a search result page and then login and view the source. Best, Marcel