move htmlspecialchars call after language declaration so that we can be consistent...

this should prevent more advanced forms of xss attacks

diff --git a/libraries/lib.inc.php b/libraries/lib.inc.php
index 0241aec06ae63bb3f3b35cf6df4e10662a307a69..18683a21ba58ae5a45659b2351e880b65f2fbc53 100644 (file)
--- a/libraries/lib.inc.php
+++ b/libraries/lib.inc.php
@@ -3,12 +3,9 @@
        /**
         * Function library read in upon startup
         *
-        * $Id: lib.inc.php,v 1.115 2007/05/28 19:21:29 soranzo Exp $
+        * $Id: lib.inc.php,v 1.116 2007/05/31 15:54:18 xzilla Exp $
         */
 
-       // Prevent XSS attacks
-       $PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF']);
-
        include_once('./libraries/decorator.inc.php');
        include_once('./lang/translations.php');
        
@@ -140,6 +137,9 @@
                $_SESSION['webdbLanguage'] = $_language;
        }
 
+       // Prevent XSS attacks
+       $PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, $lang['appcharset']);
+
        // Check for config file version mismatch
        if (!isset($conf['version']) || $conf['base_version'] > $conf['version']) {
                echo $lang['strbadconfig'];