tim_o_boy Posted October 18, 2012 Posted October 18, 2012 I've a site failing PCI scans due to various cross-site scripting issues. For one issue I've altered the function tep_get_all_get_params(). What I'd like to ask is can anyone see a reason why this added line might cause issues anywhere in the site. My local testing seems to be OK but I'd like to run it by the experts before going live. Original: function tep_get_all_get_params($exclude_array = '') { global $HTTP_GET_VARS; if (!is_array($exclude_array)) $exclude_array = array(); $get_url = ''; if (is_array($HTTP_GET_VARS) && (sizeof($HTTP_GET_VARS) > 0)) { reset($HTTP_GET_VARS); while (list($key, $value) = each($HTTP_GET_VARS)) { if ( (strlen($value) > 0) && ($key != tep_session_name()) && ($key != 'error') && (!in_array($key, $exclude_array)) && ($key != 'x') && ($key != 'y') ) { $get_url .= $key . '=' . rawurlencode(stripslashes($value)) . '&'; } } } return $get_url; } Updated version (including changing $HTTP_GET_VARS to $GET): function tep_get_all_get_params($exclude_array = '') { global $_GET; if (!is_array($exclude_array)) $exclude_array = array(); $get_url = ''; if (is_array($_GET) && (sizeof($_GET) > 0)) { reset($_GET); while (list($key, $value) = each($_GET)) { if ( (strlen($value) > 0) && ($key != tep_session_name()) && ($key != 'error') && (!in_array($key, $exclude_array)) && ($key != 'x') && ($key != 'y') ) { $key = preg_replace("/<(.*)>/", "", $key);#### added line ##### $get_url .= $key . '=' . rawurlencode(stripslashes($value)) . '&'; } } } return $get_url; }
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.