Overload url::current() and url::merge() to make the current url XSS

safe. Add tests to make sure that it doesn't relapse with future Kohana changes. Fixes ticket #983. Ref: http://gallery.menalto.com/node/93738
author: Bharat Mediratta <bharat@menalto.com> 2010-01-18 11:10:37 -0800
committer: Bharat Mediratta <bharat@menalto.com> 2010-01-18 11:10:37 -0800
commit: 0dc184e99f0ca607774a68257432a9a981f4d5b7 (patch)
tree: c80a6c2c24215bf31a3fbde974b509bd77f5e826 /modules/gallery/helpers/MY_url.php
parent: 2c2c77ea391a59f89449d07aff604bf11042515c (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/modules/gallery/helpers/MY_url.php b/modules/gallery/helpers/MY_url.php
index 74284951..8a7909b6 100644
--- a/modules/gallery/helpers/MY_url.php
+++ b/modules/gallery/helpers/MY_url.php
@@ -89,4 +89,18 @@ class url extends url_Core {
   static function abs_current($qs=false) {
     return self::abs_site(url::current($qs));
   }
+
+  /**
+   * Just like url::merge except that it escapes any XSS in the path.
+   */
+  static function merge($params) {
+    return htmlspecialchars(parent::merge($params));
+  }
+
+  /**
+   * Just like url::current except that it escapes any XSS in the path.
+   */
+  static function current($qs=false, $suffix=false) {
+    return htmlspecialchars(parent::current($qs, $suffix));
+  }
 }
author	Bharat Mediratta <bharat@menalto.com>	2010-01-18 11:10:37 -0800
committer	Bharat Mediratta <bharat@menalto.com>	2010-01-18 11:10:37 -0800
commit	0dc184e99f0ca607774a68257432a9a981f4d5b7 (patch)
tree	c80a6c2c24215bf31a3fbde974b509bd77f5e826 /modules/gallery/helpers/MY_url.php
parent	2c2c77ea391a59f89449d07aff604bf11042515c (diff)