Securing $misc->href

See http://php.net/manual/en/function.urlencode.php
This is only used in href parameter of A tag and should be escaped
properly.

diff --git a/classes/Misc.php b/classes/Misc.php
index 3a04ddc7d3f23d728286d88b079e6d059d742c3c..49774ff6f56e4deea3b7057f5a8260f53c149679 100644 (file)
--- a/classes/Misc.php
+++ b/classes/Misc.php
@@ -40,13 +40,13 @@
                        if (isset($_REQUEST['server']) && $exclude_from != 'server') {
                                $href .= 'server=' . urlencode($_REQUEST['server']);
                                if (isset($_REQUEST['database']) && $exclude_from != 'database') {
-                                       $href .= '&database=' . urlencode($_REQUEST['database']);
+                                       $href .= '&database=' . urlencode($_REQUEST['database']);
                                        if (isset($_REQUEST['schema']) && $exclude_from != 'schema') {
-                                               $href .= '&schema=' . urlencode($_REQUEST['schema']);
+                                               $href .= '&schema=' . urlencode($_REQUEST['schema']);
                                        }
                                }
                        }
-                       return $href;
+                       return htmlentities($href);
                }
 
                /**