On Fri, 19 Jun 2015 at 15:50:57, Marcel Korpel wrote:
> * Lukas Fleischer <[email protected]> (Fri, 19 Jun 2015 15:04:14
> +0200):
> >> + <input id="id_referer"
> >> type="hidden" name="referer"
> >> value="<?= !empty($_SERVER['HTTP_REFERER']) ?
> >> $_SERVER['HTTP_REFERER'] : '/'; ?>" />
> >
> > Please use urlencode() to escape the value of
> > $_SERVER['HTTP_REFERER'].
>
> With due respect, I think you're wrong here: he is not writing a URL
> parameter, but an HTML attribute. The URL-encoding has already been
> taken into account by the browser at this point.
> [...]
Yeah, you're right. Good catch! It should be
htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES)
then.
