diff options
| -rw-r--r-- | inc/common.php | 4 | ||||
| -rw-r--r-- | inc/pageutils.php | 8 |
2 files changed, 8 insertions, 4 deletions
diff --git a/inc/common.php b/inc/common.php index 5d6287ada..0fdeec63b 100644 --- a/inc/common.php +++ b/inc/common.php @@ -285,9 +285,9 @@ function ml($id='',$more='',$direct=true){ $xlink .= 'lib/exe/fetch.php'; if($more){ $xlink .= '?'.$more; - $xlink .= '&media='.$id; + $xlink .= '&media='.urlencode($id); }else{ - $xlink .= '?media='.$id; + $xlink .= '?media='.urlencode($id); } return $xlink; } diff --git a/inc/pageutils.php b/inc/pageutils.php index d81d22a58..e22dc3c86 100644 --- a/inc/pageutils.php +++ b/inc/pageutils.php @@ -13,14 +13,18 @@ * Uses either standard $_REQUEST variable or extracts it from * the full request URI when userewrite is set to 2 * - * Returns $conf['start'] if no id was found and $param is 'id' + * For $param='id' $conf['start'] is returned if no id was found + * and the returned ID will be cleaned. For other params the + * cleaning has to be done outside this function * * @author Andreas Gohr <andi@splitbrain.org> */ function getID($param='id'){ global $conf; - $id = cleanID($_REQUEST[$param]); + $id = $_REQUEST[$param]; + + if($param == 'id') $id = cleanID($id); //construct page id from request URI if(empty($id) && $conf['userewrite'] == 2){ |