From 0dc184e99f0ca607774a68257432a9a981f4d5b7 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 18 Jan 2010 11:10:37 -0800
Subject: Overload url::current() and url::merge() to make the current url XSS
 safe.  Add tests to make sure that it doesn't relapse with future Kohana
 changes.  Fixes ticket #983.

Ref: http://gallery.menalto.com/node/93738
---
 modules/gallery/helpers/MY_url.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'modules/gallery/helpers/MY_url.php')

diff --git a/modules/gallery/helpers/MY_url.php b/modules/gallery/helpers/MY_url.php
index 74284951..8a7909b6 100644
--- a/modules/gallery/helpers/MY_url.php
+++ b/modules/gallery/helpers/MY_url.php
@@ -89,4 +89,18 @@ class url extends url_Core {
   static function abs_current($qs=false) {
     return self::abs_site(url::current($qs));
   }
+
+  /**
+   * Just like url::merge except that it escapes any XSS in the path.
+   */
+  static function merge($params) {
+    return htmlspecialchars(parent::merge($params));
+  }
+
+  /**
+   * Just like url::current except that it escapes any XSS in the path.
+   */
+  static function current($qs=false, $suffix=false) {
+    return htmlspecialchars(parent::current($qs, $suffix));
+  }
 }
-- 
cgit v1.2.3