aboutsummaryrefslogtreecommitdiff
path: root/engine
diff options
context:
space:
mode:
Diffstat (limited to 'engine')
-rw-r--r--engine/lib/input.php5
-rw-r--r--engine/lib/river.php3
2 files changed, 8 insertions, 0 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 84752bc7d..56ec214dc 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -10,8 +10,13 @@
/**
* Get some input from variables passed on the GET or POST line.
*
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
+ *
* Note: this function does not handle nested arrays (ex: form input of param[m][n])
* because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still?
*
* @param string $variable The variable we want to return.
* @param mixed $default A default value for the variable if it is not found.
diff --git a/engine/lib/river.php b/engine/lib/river.php
index 36dde7f05..1a2be1e50 100644
--- a/engine/lib/river.php
+++ b/engine/lib/river.php
@@ -589,10 +589,13 @@ function elgg_river_page_handler($page) {
elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+ // make a URL segment available in page handler script
$page_type = elgg_extract(0, $page, 'all');
+ $page_type = preg_replace('[\W]', '', $page_type);
if ($page_type == 'owner') {
$page_type = 'mine';
}
+ set_input('page_type', $page_type);
// content filter code here
$entity_type = '';