26 Feb
2007
26 Feb
'07
4:20 p.m.
bootstrap uses PHP_SELF in conf_init and request_uri, as far as I can tell without filtering. This isn't safe. Is this getting filtered somewhere or somehow that I'm missing? If it isn't getting filtered elsewhere, adding htmlentities to these two functions would be an inelegant but sufficient (for security purposes) fix. See here for a discussion about not trusting PHP_SELF: http://blog.phpdoc.info/archives/13-guid.html