From 4d54fca60d869f9706200dfa7b5e502ecd4837f8 Mon Sep 17 00:00:00 2001
From: "Jehan-Guillaume (ioguix) de Rorthais" <ioguix@free.fr>
Date: Sat, 17 Dec 2011 00:25:10 +0100
Subject: [PATCH] Securing $misc->href

See http://php.net/manual/en/function.urlencode.php
This is only used in href parameter of A tag and should be escaped
properly.
---
 classes/Misc.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/classes/Misc.php b/classes/Misc.php
index 3a04ddc7..49774ff6 100644
--- a/classes/Misc.php
+++ b/classes/Misc.php
@@ -40,13 +40,13 @@
 			if (isset($_REQUEST['server']) && $exclude_from != 'server') {
 				$href .= 'server=' . urlencode($_REQUEST['server']);
 				if (isset($_REQUEST['database']) && $exclude_from != 'database') {
-					$href .= '&amp;database=' . urlencode($_REQUEST['database']);
+					$href .= '&database=' . urlencode($_REQUEST['database']);
 					if (isset($_REQUEST['schema']) && $exclude_from != 'schema') {
-						$href .= '&amp;schema=' . urlencode($_REQUEST['schema']);
+						$href .= '&schema=' . urlencode($_REQUEST['schema']);
 					}
 				}
 			}
-			return $href;
+			return htmlentities($href);
 		}
 
 		/**
-- 
2.39.5