Urlencode /network file parameter

diff --git a/include/conversation.php b/include/conversation.php
index 1b7b34e71ad2938280b2e92f8fe89edb7cb92d1c..2d613f0f38ac5903d14e2698e8ec813ed8b70bfa 100644 (file)
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -462,17 +462,17 @@ function conversation(App $a, array $items, Pager $pager, $mode, $update, $previ
                                . "<script> var profile_uid = " . $_SESSION['uid']
                                . "; var netargs = '" . substr($a->cmd, 8)
                                . '?f='
-                               . ((x($_GET, 'cid'))    ? '&cid='    . $_GET['cid']    : '')
-                               . ((x($_GET, 'search')) ? '&search=' . $_GET['search'] : '')
-                               . ((x($_GET, 'star'))   ? '&star='   . $_GET['star']   : '')
-                               . ((x($_GET, 'order'))  ? '&order='  . $_GET['order']  : '')
-                               . ((x($_GET, 'bmark'))  ? '&bmark='  . $_GET['bmark']  : '')
-                               . ((x($_GET, 'liked'))  ? '&liked='  . $_GET['liked']  : '')
-                               . ((x($_GET, 'conv'))   ? '&conv='   . $_GET['conv']   : '')
-                               . ((x($_GET, 'nets'))   ? '&nets='   . $_GET['nets']   : '')
-                               . ((x($_GET, 'cmin'))   ? '&cmin='   . $_GET['cmin']   : '')
-                               . ((x($_GET, 'cmax'))   ? '&cmax='   . $_GET['cmax']   : '')
-                               . ((x($_GET, 'file'))   ? '&file='   . $_GET['file']   : '')
+                               . ((x($_GET, 'cid'))    ? '&cid='    . rawurlencode($_GET['cid'])    : '')
+                               . ((x($_GET, 'search')) ? '&search=' . rawurlencode($_GET['search']) : '')
+                               . ((x($_GET, 'star'))   ? '&star='   . rawurlencode($_GET['star'])   : '')
+                               . ((x($_GET, 'order'))  ? '&order='  . rawurlencode($_GET['order'])  : '')
+                               . ((x($_GET, 'bmark'))  ? '&bmark='  . rawurlencode($_GET['bmark'])  : '')
+                               . ((x($_GET, 'liked'))  ? '&liked='  . rawurlencode($_GET['liked'])  : '')
+                               . ((x($_GET, 'conv'))   ? '&conv='   . rawurlencode($_GET['conv'])   : '')
+                               . ((x($_GET, 'nets'))   ? '&nets='   . rawurlencode($_GET['nets'])   : '')
+                               . ((x($_GET, 'cmin'))   ? '&cmin='   . rawurlencode($_GET['cmin'])   : '')
+                               . ((x($_GET, 'cmax'))   ? '&cmax='   . rawurlencode($_GET['cmax'])   : '')
+                               . ((x($_GET, 'file'))   ? '&file='   . rawurlencode($_GET['file'])   : '')
 
                                . "'; var profile_page = " . $pager->getPage() . "; </script>\r\n";
                }

diff --git a/mod/filerm.php b/mod/filerm.php
index 30a7f69df9a9e925468d18cd3e0e1ad70d61c5a6..d240c2d6a757927df98f1bf81134889c7e69da16 100644 (file)
--- a/mod/filerm.php
+++ b/mod/filerm.php
@@ -36,6 +36,6 @@ function filerm_content(App $a)
                info('Item was not deleted');
        }
 
-       $a->internalRedirect('/network?f=&file=' . $term);
+       $a->internalRedirect('/network?f=&file=' . rawurlencode($term));
        killme();
 }

diff --git a/mod/network.php b/mod/network.php
index 5bc5913cdb2c66807e15f78d51d1894b69bd8a72..594a557997c91352542e60eec9727a804518f08c 100644 (file)
--- a/mod/network.php
+++ b/mod/network.php
@@ -170,16 +170,15 @@ function network_init(App $a)
 
 function saved_searches($search)
 {
-
        $srchurl = '/network?f='
-               . ((x($_GET, 'cid'))   ? '&cid='   . $_GET['cid']   : '')
-               . ((x($_GET, 'star'))  ? '&star='  . $_GET['star']  : '')
-               . ((x($_GET, 'bmark')) ? '&bmark=' . $_GET['bmark'] : '')
-               . ((x($_GET, 'conv'))  ? '&conv='  . $_GET['conv']  : '')
-               . ((x($_GET, 'nets'))  ? '&nets='  . $_GET['nets']  : '')
-               . ((x($_GET, 'cmin'))  ? '&cmin='  . $_GET['cmin']  : '')
-               . ((x($_GET, 'cmax'))  ? '&cmax='  . $_GET['cmax']  : '')
-               . ((x($_GET, 'file'))  ? '&file='  . $_GET['file']  : '');
+               . ((x($_GET, 'cid'))   ? '&cid='   . rawurlencode($_GET['cid'])   : '')
+               . ((x($_GET, 'star'))  ? '&star='  . rawurlencode($_GET['star'])  : '')
+               . ((x($_GET, 'bmark')) ? '&bmark=' . rawurlencode($_GET['bmark']) : '')
+               . ((x($_GET, 'conv'))  ? '&conv='  . rawurlencode($_GET['conv'])  : '')
+               . ((x($_GET, 'nets'))  ? '&nets='  . rawurlencode($_GET['nets'])  : '')
+               . ((x($_GET, 'cmin'))  ? '&cmin='  . rawurlencode($_GET['cmin'])  : '')
+               . ((x($_GET, 'cmax'))  ? '&cmax='  . rawurlencode($_GET['cmax'])  : '')
+               . ((x($_GET, 'file'))  ? '&file='  . rawurlencode($_GET['file'])  : '');
        ;
 
        $terms = DBA::select('search', ['id', 'term'], ['uid' => local_user()]);