Merge branch 'fix-array-query-params' into 'master'

Allow arrays when sanitizing GET query parameters See merge request davical-project/davical!143
2026-05-25 02:34:17 +00:00 · 2026-04-16 15:46:27 +00:00 · 2026-04-16 15:46:27 +00:00 · ff29a32103
commit ff29a32103
parent 0f14bcb73b 743ff69c03
1 changed files with 15 additions and 3 deletions
--- a/htdocs/always.php
+++ b/htdocs/always.php
@ -32,9 +32,21 @@ function clean_get() {

    foreach($_GET as $key => $value) {
        // XSS is possible in both key and values
-        $k = htmlspecialchars($key);
-        $v = htmlspecialchars($value);
-        $temp[$k] = $v;
+        $key = htmlspecialchars($key);
+
+        switch (gettype($value)) {
+            case "string":
+                $value = htmlspecialchars($value);
+                break;
+            case "array":
+                array_walk_recursive($value, function(&$v) {
+                    if (gettype($v) == "string") {
+                        $v = htmlspecialchars($v);
+                    }
+                });
+                break;
+        }
+        $temp[$key] = $value;
    }

    return $temp;