The default form action (request_uri) didn't escape HTML entities (such as &)

author: Steven Wittens <steven@10.no-reply.drupal.org> 2002-05-21 16:00:39 +0000
committer: Steven Wittens <steven@10.no-reply.drupal.org> 2002-05-21 16:00:39 +0000
commit: 7cd6e0b17dd10b1a8e6cac4df180230bdff7eb77 (patch)
tree: 198070e2de727420fedc6509a8f8870a40a6016c /includes
parent: f1f458ddf029cdcd0a3de4312c9dc28ac9030804 (diff)
download: brdo-7cd6e0b17dd10b1a8e6cac4df180230bdff7eb77.tar.gz
brdo-7cd6e0b17dd10b1a8e6cac4df180230bdff7eb77.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/includes/common.inc b/includes/common.inc
index 82674223e..1634d641b 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -567,7 +567,7 @@ function format_tag($link, $text) {
 }
 
 function form($form, $method = "post", $action = 0, $options = 0) {
-  return "<form action=\"". ($action ? $action : request_uri()) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
+  return "<form action=\"". ($action ? $action : htmlentities(request_uri())) ."\" method=\"$method\"". ($options ? " $options" : "") .">\n$form</form>\n";
 }
 
 function form_item($title, $value, $description = 0) {
author	Steven Wittens <steven@10.no-reply.drupal.org>	2002-05-21 16:00:39 +0000
committer	Steven Wittens <steven@10.no-reply.drupal.org>	2002-05-21 16:00:39 +0000
commit	7cd6e0b17dd10b1a8e6cac4df180230bdff7eb77 (patch)
tree	198070e2de727420fedc6509a8f8870a40a6016c /includes
parent	f1f458ddf029cdcd0a3de4312c9dc28ac9030804 (diff)
download	brdo-7cd6e0b17dd10b1a8e6cac4df180230bdff7eb77.tar.gz brdo-7cd6e0b17dd10b1a8e6cac4df180230bdff7eb77.tar.bz2