* Lukas Fleischer <lfleisc...@archlinux.org> (Fri, 19 Jun 2015 15:04:14 +0200): >> + <input id="id_referer" >> type="hidden" name="referer" >> value="<?= !empty($_SERVER['HTTP_REFERER']) ? >> $_SERVER['HTTP_REFERER'] : '/'; ?>" /> > > Please use urlencode() to escape the value of > $_SERVER['HTTP_REFERER'].
With due respect, I think you're wrong here: he is not writing a URL parameter, but an HTML attribute. The URL-encoding has already been taken into account by the browser at this point. Please test it with a tag you create with a UTF-8 character in it, click on it to open a search result page and then login and view the source. Best, Marcel
