Commit 3c54867b authored by Carsten  Rose's avatar Carsten Rose
Browse files

Sanatize.php: implemented htmlentitiesArr().

Store.php: fillStoreClient now htmlentities() the $_SERVER array.
parent c1ad7742
......@@ -178,6 +178,28 @@ class Sanitize {
return preg_replace($search, $replace, $filename);
} // safeFilename()
/**
* htmlentities($data) - if $data is an array, convert it recursively.
*
* @param string|array $data
* @param int $mode
* @return array|string
*/
public static function htmlentitiesArr($data, $mode = ENT_QUOTES) {
if (is_string($data)) {
htmlentities($data, $mode);
}
if (is_array($data)) {
foreach ($data as $key => $value) {
$data[$key] = self::htmlentitiesArr($value, $mode);
}
}
return $data;
}
/**
* Take the given $item (or iterates over all elements of the given array) and normalize the content.
* Only strings will be normalized. Sub arrays will be recursived normalized. Numeric content is skipped.
......
......@@ -352,18 +352,20 @@ class Store {
* @throws CodeException
*/
private static function fillStoreClient() {
// copy GET and POST and SERVER Parameter. Priority: SERVER, POST, GET
$arr = array();
if (isset($_GET))
if (isset($_GET)) {
$arr = array_merge($arr, $_GET);
if (isset($_POST))
}
if (isset($_POST)) {
$arr = array_merge($arr, $_POST);
}
// It's important to merge the SERVER array last: those entries shall overwrite client values.
if (isset($_SERVER))
$arr = array_merge($arr, $_SERVER);
if (isset($_SERVER)) {
$server = Sanitize::htmlentitiesArr($_SERVER); // $_SERVER values might be compromised.
$arr = array_merge($arr, $server);
}
$arr = \qfq\Sanitize::normalize($arr);
self::setStore($arr, STORE_CLIENT, true);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment