bugfix: sanitization filter "parameter" => Since the filter parameter is now url-encoded, it now may contains %3D, %2B and %2F (respectively =, + and /).

a migration note was written : https://wiki.combodo.com/doku.php?id=latest:install:240_to_250_migration_notes#param_filter SVN:trunk[5770]
2026-04-23 02:28:44 +02:00 · 2018-05-04 10:13:29 +00:00
parent 1dccc54814
commit 7bdad90564
1 changed files with 1 additions and 1 deletions
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -311,7 +311,7 @@ class utils
 				switch($sSanitizationFilter)
 				{
 					case 'parameter':
-					$retValue = filter_var($value, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>'/^[ A-Za-z0-9_=-]*$/'))); // the '=' equal character is used in serialized filters
+					$retValue = filter_var($value, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>'/^([ A-Za-z0-9_=-]|%3D|%2B|%2F)*$/'))); // the '=', '%3D, '%2B', '%2F' characters are used in serialized filters (starting 2.5, only the url encoded versions are presents, but the "=" is kept for BC)
 					break;
 					
 					case 'field_name':