19 Jun
2015
19 Jun
'15
3:26 p.m.
On Fri, 19 Jun 2015 at 15:50:57, Marcel Korpel wrote:
* Lukas Fleischer <lfleischer@archlinux.org> (Fri, 19 Jun 2015 15:04:14 +0200):
+ <input id="id_referer" type="hidden" name="referer" value="<?= !empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '/'; ?>" />
Please use urlencode() to escape the value of $_SERVER['HTTP_REFERER'].
With due respect, I think you're wrong here: he is not writing a URL parameter, but an HTML attribute. The URL-encoding has already been taken into account by the browser at this point. [...]
Yeah, you're right. Good catch! It should be htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES) then.