From 90f1b7bd60332450b32e4ec0b189ddb0ab11fdf8 Mon Sep 17 00:00:00 2001
From: Tom N Harris <tnharris@whoopdedo.org>
Date: Wed, 27 Jun 2012 02:30:15 -0400
Subject: Input wrapper for action.php

---
 inc/actions.php | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/inc/actions.php b/inc/actions.php
index e85cbfccc..0c35bc88c 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -20,6 +20,7 @@ function act_dispatch(){
     global $ID;
     global $INFO;
     global $QUERY;
+    global $INPUT;
     global $lang;
     global $conf;
 
@@ -131,14 +132,14 @@ function act_dispatch(){
         //handle admin tasks
         if($ACT == 'admin'){
             // retrieve admin plugin name from $_REQUEST['page']
-            if (!empty($_REQUEST['page'])) {
+            if (($page = $INPUT->str('page', '', true)) != '') {
                 $pluginlist = plugin_list('admin');
-                if (in_array($_REQUEST['page'], $pluginlist)) {
+                if (in_array($page, $pluginlist)) {
                     // attempt to load the plugin
-                    if ($plugin =& plugin_load('admin',$_REQUEST['page']) !== null){
+                    if ($plugin =& plugin_load('admin',$page) !== null){
                         if($plugin->forAdminOnly() && !$INFO['isadmin']){
                             // a manager tried to load a plugin that's for admins only
-                            unset($_REQUEST['page']);
+                            $INPUT->remove('page');
                             msg('For admins only',-1);
                         }else{
                             $plugin->handle();
@@ -300,13 +301,14 @@ function act_draftdel($act){
 function act_draftsave($act){
     global $INFO;
     global $ID;
+    global $INPUT;
     global $conf;
-    if($conf['usedraft'] && $_POST['wikitext']){
+    if($conf['usedraft'] && $INPUT->post->has('wikitext')) {
         $draft = array('id'     => $ID,
-                'prefix' => substr($_POST['prefix'], 0, -1),
-                'text'   => $_POST['wikitext'],
-                'suffix' => $_POST['suffix'],
-                'date'   => (int) $_POST['date'],
+                'prefix' => substr($INPUT->post->str('prefix'), 0, -1),
+                'text'   => $INPUT->post->str('wikitext'),
+                'suffix' => $INPUT->post->str('suffix'),
+                'date'   => $INPUT->post->int('date'),
                 'client' => $INFO['client'],
                 );
         $cname = getCacheName($draft['client'].$ID,'.draft');
@@ -335,6 +337,7 @@ function act_save($act){
     global $SUM;
     global $lang;
     global $INFO;
+    global $INPUT;
 
     //spam check
     if(checkwordblock()) {
@@ -346,7 +349,7 @@ function act_save($act){
         return 'conflict';
 
     //save it
-    saveWikiText($ID,con($PRE,$TEXT,$SUF,1),$SUM,$_REQUEST['minor']); //use pretty mode for con
+    saveWikiText($ID,con($PRE,$TEXT,$SUF,1),$SUM,$INPUT->bool('minor')); //use pretty mode for con
     //unlock it
     unlock($ID);
 
@@ -669,6 +672,7 @@ function act_subscription($act){
     global $lang;
     global $INFO;
     global $ID;
+    global $INPUT;
 
     // subcriptions work for logged in users only
     if(!$_SERVER['REMOTE_USER']) return 'show';
@@ -676,8 +680,8 @@ function act_subscription($act){
     // get and preprocess data.
     $params = array();
     foreach(array('target', 'style', 'action') as $param) {
-        if (isset($_REQUEST["sub_$param"])) {
-            $params[$param] = $_REQUEST["sub_$param"];
+        if ($INPUT->has("sub_$param")) {
+            $params[$param] = $INPUT->str("sub_$param");
         }
     }
 
-- 
cgit v1.2.3


From 7d01a0eac854c623a74ff7936d5eba9413aefe79 Mon Sep 17 00:00:00 2001
From: Tom N Harris <tnharris@whoopdedo.org>
Date: Wed, 27 Jun 2012 02:48:49 -0400
Subject: more INPUT wrapper uses: cache purge, sectok, getID

---
 inc/cache.php     | 3 ++-
 inc/common.php    | 3 ++-
 inc/pageutils.php | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/inc/cache.php b/inc/cache.php
index ff78e37ae..204c6f006 100644
--- a/inc/cache.php
+++ b/inc/cache.php
@@ -84,7 +84,8 @@ class cache {
      * it should only overwrite a dependency when the new value is more stringent than the old
      */
     function _addDependencies() {
-        if (isset($_REQUEST['purge'])) $this->depends['purge'] = true;   // purge requested
+        global $INPUT;
+        if ($INPUT->has('purge')) $this->depends['purge'] = true;   // purge requested
     }
 
     /**
diff --git a/inc/common.php b/inc/common.php
index 768260bbf..02ed2432b 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -63,9 +63,10 @@ function getSecurityToken() {
  * Check the secret CSRF token
  */
 function checkSecurityToken($token = null) {
+    global $INPUT;
     if(!$_SERVER['REMOTE_USER']) return true; // no logged in user, no need for a check
 
-    if(is_null($token)) $token = $_REQUEST['sectok'];
+    if(is_null($token)) $token = $INPUT->str('sectok');
     if(getSecurityToken() != $token) {
         msg('Security Token did not match. Possible CSRF attack.', -1);
         return false;
diff --git a/inc/pageutils.php b/inc/pageutils.php
index c94d14624..95f791364 100644
--- a/inc/pageutils.php
+++ b/inc/pageutils.php
@@ -19,9 +19,10 @@
  * @author Andreas Gohr <andi@splitbrain.org>
  */
 function getID($param='id',$clean=true){
+    global $INPUT;
     global $conf;
 
-    $id = isset($_REQUEST[$param]) ? $_REQUEST[$param] : null;
+    $id = $INPUT->str($param);
 
     //construct page id from request URI
     if(empty($id) && $conf['userewrite'] == 2){
-- 
cgit v1.2.3


From bfd0f5975e6e3578b4fa0c712e9779a0861fdc72 Mon Sep 17 00:00:00 2001
From: Tom N Harris <tnharris@whoopdedo.org>
Date: Thu, 28 Jun 2012 22:04:10 -0400
Subject: Input wrapper for exe scripts

---
 lib/exe/css.php     | 8 ++++----
 lib/exe/detail.php  | 4 ++--
 lib/exe/fetch.php   | 8 ++++----
 lib/exe/indexer.php | 7 ++++---
 4 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/lib/exe/css.php b/lib/exe/css.php
index 69b512205..5cc4ab830 100644
--- a/lib/exe/css.php
+++ b/lib/exe/css.php
@@ -29,14 +29,14 @@ function css_out(){
     global $conf;
     global $lang;
     global $config_cascade;
+    global $INPUT;
 
     $mediatype = 'screen';
-    if (isset($_REQUEST['s']) &&
-        in_array($_REQUEST['s'], array('all', 'print', 'feed'))) {
-        $mediatype = $_REQUEST['s'];
+    if (in_array($INPUT->str('s'), array('all', 'print', 'feed'))) {
+        $mediatype = $INPUT->str('s');
     }
 
-    $tpl = trim(preg_replace('/[^\w-]+/','',$_REQUEST['t']));
+    $tpl = trim(preg_replace('/[^\w-]+/','',$INPUT->str('t')));
     if($tpl){
         $tplinc = DOKU_INC.'lib/tpl/'.$tpl.'/';
         $tpldir = DOKU_BASE.'lib/tpl/'.$tpl.'/';
diff --git a/lib/exe/detail.php b/lib/exe/detail.php
index 35186f5dd..ea46bc037 100644
--- a/lib/exe/detail.php
+++ b/lib/exe/detail.php
@@ -6,9 +6,9 @@ require_once(DOKU_INC.'inc/init.php');
 session_write_close();
 
 $IMG  = getID('media');
-$ID   = cleanID($_REQUEST['id']);
+$ID   = cleanID($INPUT->str('id'));
 
-if($conf['allowdebug'] && $_REQUEST['debug']){
+if($conf['allowdebug'] && $INPUT->has('debug')){
     print '<pre>';
     foreach(explode(' ','basedir userewrite baseurl useslash') as $x){
         print '$'."conf['$x'] = '".$conf[$x]."';\n";
diff --git a/lib/exe/fetch.php b/lib/exe/fetch.php
index 143d40f22..60843460e 100644
--- a/lib/exe/fetch.php
+++ b/lib/exe/fetch.php
@@ -17,10 +17,10 @@
 
   //get input
   $MEDIA  = stripctl(getID('media',false)); // no cleaning except control chars - maybe external
-  $CACHE  = calc_cache($_REQUEST['cache']);
-  $WIDTH  = (int) $_REQUEST['w'];
-  $HEIGHT = (int) $_REQUEST['h'];
-  $REV   = (int) @$_REQUEST['rev'];
+  $CACHE  = calc_cache($INPUT->str('cache'));
+  $WIDTH  = $INPUT->int('w');
+  $HEIGHT = $INPUT->int('h');
+  $REV    = &$INPUT->ref('rev');
   //sanitize revision
   $REV = preg_replace('/[^0-9]/','',$REV);
 
diff --git a/lib/exe/indexer.php b/lib/exe/indexer.php
index 738a29503..e149770c0 100644
--- a/lib/exe/indexer.php
+++ b/lib/exe/indexer.php
@@ -20,10 +20,10 @@ if(!$defer){
     sendGIF(); // send gif
 }
 
-$ID = cleanID($_REQUEST['id']);
+$ID = cleanID($INPUT->str('id'));
 
 // Catch any possible output (e.g. errors)
-$output = isset($_REQUEST['debug']) && $conf['allowdebug'];
+$output = $INPUT->has('debug') && $conf['allowdebug'];
 if(!$output) ob_start();
 
 // run one of the jobs
@@ -261,7 +261,8 @@ function sendDigest() {
  * @author Harry Fuecks <fuecks@gmail.com>
  */
 function sendGIF(){
-    if(isset($_REQUEST['debug'])){
+    global $INPUT;
+    if($INPUT->has('debug')){
         header('Content-Type: text/plain');
         return;
     }
-- 
cgit v1.2.3


From 8108113c244529ec54f11271a6a15e3d1e0a048f Mon Sep 17 00:00:00 2001
From: Tom N Harris <tnharris@whoopdedo.org>
Date: Thu, 28 Jun 2012 22:15:56 -0400
Subject: Input validation for media manager

---
 inc/media.php            | 66 +++++++++++++++++++++++++++++-------------------
 lib/exe/mediamanager.php | 35 +++++++++++++------------
 2 files changed, 57 insertions(+), 44 deletions(-)

diff --git a/inc/media.php b/inc/media.php
index 2462a1deb..6c92225ff 100644
--- a/inc/media.php
+++ b/inc/media.php
@@ -226,8 +226,9 @@ function media_delete($id,$auth){
  */
 function media_upload_xhr($ns,$auth){
     if(!checkSecurityToken()) return false;
+    global $INPUT;
 
-    $id = $_GET['qqfile'];
+    $id = $INPUT->get->str('qqfile');
     list($ext,$mime,$dl) = mimetype($id);
     $input = fopen("php://input", "r");
     if (!($tmp = io_mktmpdir())) return false;
@@ -247,7 +248,7 @@ function media_upload_xhr($ns,$auth){
             'mime' => $mime,
             'ext'  => $ext),
         $ns.':'.$id,
-        (($_REQUEST['ow'] == 'checked') ? true : false),
+        (($INPUT->get->str('ow') == 'checked') ? true : false),
         $auth,
         'copy'
     );
@@ -270,9 +271,10 @@ function media_upload_xhr($ns,$auth){
 function media_upload($ns,$auth,$file=false){
     if(!checkSecurityToken()) return false;
     global $lang;
+    global $INPUT;
 
     // get file and id
-    $id   = $_POST['mediaid'];
+    $id   = $INPUT->post->str('mediaid');
     if (!$file) $file = $_FILES['upload'];
     if(empty($id)) $id = $file['name'];
 
@@ -294,7 +296,7 @@ function media_upload($ns,$auth,$file=false){
     $res = media_save(array('name' => $file['tmp_name'],
                             'mime' => $imime,
                             'ext'  => $iext), $ns.':'.$id,
-                      $_REQUEST['ow'], $auth, 'move_uploaded_file');
+                      $INPUT->post->bool('ow'), $auth, 'move_uploaded_file');
     if (is_array($res)) {
         msg($res[0], $res[1]);
         return false;
@@ -641,7 +643,9 @@ function media_tabs_details($image, $selected_tab = ''){
  * @author Kate Arzamastseva <pshns@ukr.net>
  */
 function media_tab_files_options(){
-    global $lang, $NS;
+    global $lang;
+    global $NS;
+    global $INPUT;
     $form = new Doku_Form(array('class' => 'options', 'method' => 'get',
                                 'action' => wl($ID)));
     $media_manager_params = media_managerURL(array(), '', false, true);
@@ -649,8 +653,8 @@ function media_tab_files_options(){
         $form->addHidden($pKey, $pVal);
     }
     $form->addHidden('sectok', null);
-    if (isset($_REQUEST['q'])) {
-        $form->addHidden('q', $_REQUEST['q']);
+    if ($INPUT->has('q')) {
+        $form->addHidden('q', $INPUT->str('q'));
     }
     $form->addElement('<ul>'.NL);
     foreach(array('list' => array('listType', array('thumbs', 'rows')),
@@ -694,9 +698,10 @@ function _media_get_list_type() {
 }
 
 function _media_get_display_param($param, $values) {
-    if (isset($_REQUEST[$param]) && in_array($_REQUEST[$param], $values)) {
+    global $INPUT;
+    if (in_array($INPUT->str($param), $values)) {
         // FIXME: Set cookie
-        return $_REQUEST[$param];
+        return $INPUT->str($param);
     } else {
         $val = get_doku_pref($param, $values['default']);
         if (!in_array($val, $values)) {
@@ -746,10 +751,10 @@ function media_tab_upload($ns,$auth=null,$jump='') {
  */
 function media_tab_search($ns,$auth=null) {
     global $lang;
+    global $INPUT;
 
-    $do = $_REQUEST['mediado'];
-    $query = $_REQUEST['q'];
-    if (!$query) $query = '';
+    $do = $INPUT->str('mediado');
+    $query = $INPUT->str('q');
     echo '<div class="search">'.NL;
 
     media_searchform($ns, $query, true);
@@ -801,14 +806,16 @@ function media_tab_edit($image, $ns, $auth=null) {
  */
 function media_tab_history($image, $ns, $auth=null) {
     global $lang;
+    global $INPUT;
+
     if(is_null($auth)) $auth = auth_quickaclcheck("$ns:*");
-    $do = $_REQUEST['mediado'];
+    $do = $INPUT->str('mediado');
 
     if ($auth >= AUTH_READ && $image) {
         if ($do == 'diff'){
             media_diff($image, $ns, $auth);
         } else {
-            $first = isset($_REQUEST['first']) ? intval($_REQUEST['first']) : 0;
+            $first = $INPUT->int('first');
             html_revisions($first, $image);
         }
     } else {
@@ -1002,21 +1009,22 @@ function media_details($image, $auth, $rev=false, $meta=false) {
 function media_diff($image, $ns, $auth, $fromajax = false) {
     global $lang;
     global $conf;
+    global $INPUT;
 
     if ($auth < AUTH_READ || !$image || !$conf['mediarevisions']) return '';
 
-    $rev1 = (int) $_REQUEST['rev'];
+    $rev1 = $INPUT->int('rev');
 
-    if(is_array($_REQUEST['rev2'])){
-        $rev1 = (int) $_REQUEST['rev2'][0];
-        $rev2 = (int) $_REQUEST['rev2'][1];
+    if(is_array($INPUT->ref('rev2'))){
+        $rev1 = (int) $INPUT->arr('rev2')[0];
+        $rev2 = (int) $INPUT->arr('rev2')[1];
 
         if(!$rev1){
             $rev1 = $rev2;
             unset($rev2);
         }
     }else{
-        $rev2 = (int) $_REQUEST['rev2'];
+        $rev2 = $INPUT->int('rev2');
     }
 
     if ($rev1 && !file_exists(mediaFN($image, $rev1))) $rev1 = false;
@@ -1071,7 +1079,9 @@ function _media_file_diff($data) {
  * @author Kate Arzamastseva <pshns@ukr.net>
  */
 function media_file_diff($image, $l_rev, $r_rev, $ns, $auth, $fromajax){
-    global $lang, $config_cascade;
+    global $lang;
+    global $config_cascade;
+    global $INPUT;
 
     $l_meta = new JpegMeta(mediaFN($image, $l_rev));
     $r_meta = new JpegMeta(mediaFN($image, $r_rev));
@@ -1082,7 +1092,7 @@ function media_file_diff($image, $l_rev, $r_rev, $ns, $auth, $fromajax){
         $r_size = media_image_preview_size($image, $r_rev, $r_meta);
         $is_img = ($l_size && $r_size && ($l_size[0] >= 30 || $r_size[0] >= 30));
 
-        $difftype = $_REQUEST['difftype'];
+        $difftype = $INPUT->str('difftype');
 
         if (!$fromajax) {
             $form = new Doku_Form(array(
@@ -1527,11 +1537,12 @@ function media_printimgdetail($item, $fullscreen=false){
 function media_managerURL($params=false, $amp='&amp;', $abs=false, $params_array=false) {
     global $conf;
     global $ID;
+    global $INPUT;
 
     $gets = array('do' => 'media');
     $media_manager_params = array('tab_files', 'tab_details', 'image', 'ns', 'list', 'sort');
     foreach ($media_manager_params as $x) {
-        if (isset($_REQUEST[$x])) $gets[$x] = $_REQUEST[$x];
+        if ($INPUT->has($x)) $gets[$x] = $INPUT->str($x);
     }
 
     if ($params) {
@@ -1555,7 +1566,9 @@ function media_managerURL($params=false, $amp='&amp;', $abs=false, $params_array
  * @author Kate Arzamastseva <pshns@ukr.net>
  */
 function media_uploadform($ns, $auth, $fullscreen = false){
-    global $lang, $conf;
+    global $lang;
+    global $conf;
+    global $INPUT;
 
     if($auth < AUTH_UPLOAD) {
         echo '<div class="nothing">'.$lang['media_perm_upload'].'</div>'.NL;
@@ -1565,9 +1578,9 @@ function media_uploadform($ns, $auth, $fullscreen = false){
 
     $update = false;
     $id = '';
-    if ($auth >= $auth_ow && $fullscreen && $_REQUEST['mediado'] == 'update') {
+    if ($auth >= $auth_ow && $fullscreen && $INPUT->str('mediado') == 'update') {
         $update = true;
-        $id = cleanID($_REQUEST['image']);
+        $id = cleanID($INPUT->str('image'));
     }
 
     // The default HTML upload form
@@ -1697,12 +1710,13 @@ function media_nstree($ns){
  * @author Andreas Gohr <andi@splitbrain.org>
  */
 function media_nstree_item($item){
+    global $INPUT;
     $pos   = strrpos($item['id'], ':');
     $label = substr($item['id'], $pos > 0 ? $pos + 1 : 0);
     if(!$item['label']) $item['label'] = $label;
 
     $ret  = '';
-    if (!($_REQUEST['do'] == 'media'))
+    if (!($INPUT->str('do') == 'media'))
     $ret .= '<a href="'.DOKU_BASE.'lib/exe/mediamanager.php?ns='.idfilter($item['id']).'" class="idx_dir">';
     else $ret .= '<a href="'.media_managerURL(array('ns' => idfilter($item['id'], false), 'tab_files' => 'files'))
         .'" class="idx_dir">';
diff --git a/lib/exe/mediamanager.php b/lib/exe/mediamanager.php
index 5f09fe1f8..83166a2f4 100644
--- a/lib/exe/mediamanager.php
+++ b/lib/exe/mediamanager.php
@@ -11,24 +11,23 @@
     session_write_close();  //close session
 
     // handle passed message
-    if($_REQUEST['msg1']) msg(hsc($_REQUEST['msg1']),1);
-    if($_REQUEST['err']) msg(hsc($_REQUEST['err']),-1);
+    if($INPUT->str('msg1')) msg(hsc($INPUT->str('msg1')),1);
+    if($INPUT->str('err')) msg(hsc($INPUT->str('err')),-1);
 
 
     // get namespace to display (either direct or from deletion order)
-    if($_REQUEST['delete']){
-        $DEL = cleanID($_REQUEST['delete']);
+    if($INPUT->str('delete')){
+        $DEL = cleanID($INPUT->str('delete'));
         $IMG = $DEL;
         $NS  = getNS($DEL);
-    }elseif($_REQUEST['edit']){
-        $IMG = cleanID($_REQUEST['edit']);
+    }elseif($INPUT->str('edit')){
+        $IMG = cleanID($INPUT->str('edit'));
         $NS  = getNS($IMG);
-    }elseif($_REQUEST['img']){
-        $IMG = cleanID($_REQUEST['img']);
+    }elseif($INPUT->str('img')){
+        $IMG = cleanID($INPUT->str('img'));
         $NS  = getNS($IMG);
     }else{
-        $NS = $_REQUEST['ns'];
-        $NS = cleanID($NS);
+        $NS = cleanID($INPUT->str('ns'));
     }
 
     // check auth
@@ -76,18 +75,18 @@
     }
 
     // handle meta saving
-    if($IMG && @array_key_exists('save', $_REQUEST['do'])){
-        $JUMPTO = media_metasave($IMG,$AUTH,$_REQUEST['meta']);
+    if($IMG && @array_key_exists('save', $INPUT->arr('do'))){
+        $JUMPTO = media_metasave($IMG,$AUTH,$INPUT->arr('meta'));
     }
 
-    if($IMG && ($_REQUEST['mediado'] == 'save' || @array_key_exists('save', $_REQUEST['mediado']))) {
-        $JUMPTO = media_metasave($IMG,$AUTH,$_REQUEST['meta']);
+    if($IMG && ($INPUT->str('mediado') == 'save' || @array_key_exists('save', $INPUT->arr('mediado')))) {
+        $JUMPTO = media_metasave($IMG,$AUTH,$INPUT->arr('meta'));
     }
 
-    if ($_REQUEST['rev'] && $conf['mediarevisions']) $REV = (int) $_REQUEST['rev'];
+    if ($INPUT->int('rev') && $conf['mediarevisions']) $REV = $INPUT->int('rev');
 
-    if($_REQUEST['mediado'] == 'restore' && $conf['mediarevisions']){
-        $JUMPTO = media_restore($_REQUEST['image'], $REV, $AUTH);
+    if($INPUT->str('mediado') == 'restore' && $conf['mediarevisions']){
+        $JUMPTO = media_restore($INPUT->str('image'), $REV, $AUTH);
     }
 
     // handle deletion
@@ -101,7 +100,7 @@
             if ($res & DOKU_MEDIA_EMPTY_NS && !$fullscreen) {
                 // current namespace was removed. redirecting to root ns passing msg along
                 send_redirect(DOKU_URL.'lib/exe/mediamanager.php?msg1='.
-                        rawurlencode($msg).'&edid='.$_REQUEST['edid']);
+                        rawurlencode($msg).'&edid='.$INPUT->str('edid'));
             }
             msg($msg,1);
         } elseif ($res & DOKU_MEDIA_INUSE) {
-- 
cgit v1.2.3


From f0859d4bbcf66e7ac5c42aae828058a98fa6355e Mon Sep 17 00:00:00 2001
From: Tom N Harris <tnharris@whoopdedo.org>
Date: Thu, 28 Jun 2012 23:31:31 -0400
Subject: Input wrapper for html forms

---
 inc/form.php        |  5 +++--
 inc/html.php        | 49 ++++++++++++++++++++++++++++---------------------
 inc/parser/code.php |  3 ++-
 3 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/inc/form.php b/inc/form.php
index e74c52c5d..bdf520a2e 100644
--- a/inc/form.php
+++ b/inc/form.php
@@ -295,8 +295,9 @@ class Doku_Form {
      */
 
     function addRadioSet($name, $entries) {
-        $value = (isset($_POST[$name]) && isset($entries[$_POST[$name]])) ?
-                 $_POST[$name] : key($entries);
+        global $INPUT;
+        $value = (array_key_exists($INPUT->post->str($name), $entries)) ?
+                 $INPUT->str($name) : key($entries);
         foreach($entries as $val => $cap) {
             $data = ($value === $val) ? array('checked' => 'checked') : array();
             $this->addElement(form_makeRadioField($name, $val, $cap, '', '', $data));
diff --git a/inc/html.php b/inc/html.php
index be5666353..08b051f40 100644
--- a/inc/html.php
+++ b/inc/html.php
@@ -46,6 +46,7 @@ function html_login(){
     global $lang;
     global $conf;
     global $ID;
+    global $INPUT;
 
     print p_locale_xhtml('login');
     print '<div class="centeralign">'.NL;
@@ -53,7 +54,7 @@ function html_login(){
     $form->startFieldset($lang['btn_login']);
     $form->addHidden('id', $ID);
     $form->addHidden('do', 'login');
-    $form->addElement(form_makeTextField('u', ((!$_REQUEST['http_credentials']) ? $_REQUEST['u'] : ''), $lang['user'], 'focus__this', 'block'));
+    $form->addElement(form_makeTextField('u', ((!$INPUT->bool('http_credentials')) ? $INPUT->str('u') : ''), $lang['user'], 'focus__this', 'block'));
     $form->addElement(form_makePasswordField('p', $lang['pass'], '', 'block'));
     if($conf['rememberme']) {
         $form->addElement(form_makeCheckboxField('r', '1', $lang['remember'], 'remember__me', 'simple'));
@@ -1070,8 +1071,9 @@ function html_diff($text='',$intro=true,$type=null){
     global $REV;
     global $lang;
     global $conf;
+    global $INPUT;
 
-    if(!$type) $type = $_REQUEST['difftype'];
+    if(!$type) $type = $INPUT->str('difftype');
     if($type != 'inline') $type = 'sidebyside';
 
     // we're trying to be clever here, revisions to compare can be either
@@ -1079,16 +1081,16 @@ function html_diff($text='',$intro=true,$type=null){
     // array in rev2.
     $rev1 = $REV;
 
-    if(is_array($_REQUEST['rev2'])){
-        $rev1 = (int) $_REQUEST['rev2'][0];
-        $rev2 = (int) $_REQUEST['rev2'][1];
+    if(is_array($INPUT->ref('rev2'))){
+        $rev1 = (int) $INPUT->int('rev2')[0];
+        $rev2 = (int) $INPUT->int('rev2')[1];
 
         if(!$rev1){
             $rev1 = $rev2;
             unset($rev2);
         }
     }else{
-        $rev2 = (int) $_REQUEST['rev2'];
+        $rev2 = $INPUT->int('rev2');
     }
 
     $r_minor = '';
@@ -1246,6 +1248,7 @@ function html_register(){
     global $lang;
     global $conf;
     global $ID;
+    global $INPUT;
 
     print p_locale_xhtml('register');
     print '<div class="centeralign">'.NL;
@@ -1253,13 +1256,13 @@ function html_register(){
     $form->startFieldset($lang['btn_register']);
     $form->addHidden('do', 'register');
     $form->addHidden('save', '1');
-    $form->addElement(form_makeTextField('login', $_POST['login'], $lang['user'], '', 'block', array('size'=>'50')));
+    $form->addElement(form_makeTextField('login', $INPUT->post->str('login'), $lang['user'], '', 'block', array('size'=>'50')));
     if (!$conf['autopasswd']) {
         $form->addElement(form_makePasswordField('pass', $lang['pass'], '', 'block', array('size'=>'50')));
         $form->addElement(form_makePasswordField('passchk', $lang['passchk'], '', 'block', array('size'=>'50')));
     }
-    $form->addElement(form_makeTextField('fullname', $_POST['fullname'], $lang['fullname'], '', 'block', array('size'=>'50')));
-    $form->addElement(form_makeTextField('email', $_POST['email'], $lang['email'], '', 'block', array('size'=>'50')));
+    $form->addElement(form_makeTextField('fullname', $INPUT->post->str('fullname'), $lang['fullname'], '', 'block', array('size'=>'50')));
+    $form->addElement(form_makeTextField('email', $INPUT->post->str('email'), $lang['email'], '', 'block', array('size'=>'50')));
     $form->addElement(form_makeButton('submit', '', $lang['btn_register']));
     $form->endFieldset();
     html_form('register', $form);
@@ -1276,26 +1279,27 @@ function html_register(){
 function html_updateprofile(){
     global $lang;
     global $conf;
+    global $INPUT;
     global $ID;
     global $INFO;
     global $auth;
 
     print p_locale_xhtml('updateprofile');
 
-    if (empty($_POST['fullname'])) $_POST['fullname'] = $INFO['userinfo']['name'];
-    if (empty($_POST['email'])) $_POST['email'] = $INFO['userinfo']['mail'];
+    $fullname = $INPUT->post->str('fullname', $INFO['userinfo']['name'], true);
+    $email = $INPUT->post->str('email', $INFO['userinfo']['mail'], true);
     print '<div class="centeralign">'.NL;
     $form = new Doku_Form(array('id' => 'dw__register'));
     $form->startFieldset($lang['profile']);
     $form->addHidden('do', 'profile');
     $form->addHidden('save', '1');
-    $form->addElement(form_makeTextField('fullname', $_SERVER['REMOTE_USER'], $lang['user'], '', 'block', array('size'=>'50', 'disabled'=>'disabled')));
+    $form->addElement(form_makeTextField('login', $_SERVER['REMOTE_USER'], $lang['user'], '', 'block', array('size'=>'50', 'disabled'=>'disabled')));
     $attr = array('size'=>'50');
     if (!$auth->canDo('modName')) $attr['disabled'] = 'disabled';
-    $form->addElement(form_makeTextField('fullname', $_POST['fullname'], $lang['fullname'], '', 'block', $attr));
+    $form->addElement(form_makeTextField('fullname', $fullname, $lang['fullname'], '', 'block', $attr));
     $attr = array('size'=>'50');
     if (!$auth->canDo('modMail')) $attr['disabled'] = 'disabled';
-    $form->addElement(form_makeTextField('email', $_POST['email'], $lang['email'], '', 'block', $attr));
+    $form->addElement(form_makeTextField('email', $email, $lang['email'], '', 'block', $attr));
     $form->addElement(form_makeTag('br'));
     if ($auth->canDo('modPass')) {
         $form->addElement(form_makePasswordField('newpass', $lang['newpass'], '', 'block', array('size'=>'50')));
@@ -1320,6 +1324,7 @@ function html_updateprofile(){
  * @triggers HTML_EDITFORM_OUTPUT
  */
 function html_edit(){
+    global $INPUT;
     global $ID;
     global $REV;
     global $DATE;
@@ -1332,8 +1337,8 @@ function html_edit(){
     global $TEXT;
     global $RANGE;
 
-    if (isset($_REQUEST['changecheck'])) {
-        $check = $_REQUEST['changecheck'];
+    if ($INPUT->has('changecheck')) {
+        $check = $INPUT->str('changecheck');
     } elseif(!$INFO['exists']){
         // $TEXT has been loaded from page template
         $check = md5('');
@@ -1368,8 +1373,8 @@ function html_edit(){
     $data = array('form' => $form,
                   'wr'   => $wr,
                   'media_manager' => true,
-                  'target' => (isset($_REQUEST['target']) && $wr &&
-                               $RANGE !== '') ? $_REQUEST['target'] : 'section',
+                  'target' => ($INPUT->has('target') && $wr &&
+                               $RANGE !== '') ? $INPUT->str('target') : 'section',
                   'intro_locale' => $include);
 
     if ($data['target'] !== 'section') {
@@ -1456,6 +1461,7 @@ function html_edit_form($param) {
 function html_minoredit(){
     global $conf;
     global $lang;
+    global $INPUT;
     // minor edits are for logged in users only
     if(!$conf['useacl'] || !$_SERVER['REMOTE_USER']){
         return false;
@@ -1463,7 +1469,7 @@ function html_minoredit(){
 
     $p = array();
     $p['tabindex'] = 3;
-    if(!empty($_REQUEST['minor'])) $p['checked']='checked';
+    if($INPUT->bool('minor')) $p['checked']='checked';
     return form_makeCheckboxField('minor', '1', $lang['minoredit'], 'minoredit', 'nowrap', $p);
 }
 
@@ -1669,8 +1675,9 @@ function html_resendpwd() {
     global $lang;
     global $conf;
     global $ID;
+    global $INPUT;
 
-    $token = preg_replace('/[^a-f0-9]+/','',$_REQUEST['pwauth']);
+    $token = preg_replace('/[^a-f0-9]+/','',$INPUT->str('pwauth'));
 
     if(!$conf['autopasswd'] && $token){
         print p_locale_xhtml('resetpwd');
@@ -1695,7 +1702,7 @@ function html_resendpwd() {
         $form->addHidden('do', 'resendpwd');
         $form->addHidden('save', '1');
         $form->addElement(form_makeTag('br'));
-        $form->addElement(form_makeTextField('login', $_POST['login'], $lang['user'], '', 'block'));
+        $form->addElement(form_makeTextField('login', $INPUT->post->str('login'), $lang['user'], '', 'block'));
         $form->addElement(form_makeTag('br'));
         $form->addElement(form_makeTag('br'));
         $form->addElement(form_makeButton('submit', '', $lang['btn_resendpwd']));
diff --git a/inc/parser/code.php b/inc/parser/code.php
index 4d94dcf4e..ff44a4e1e 100644
--- a/inc/parser/code.php
+++ b/inc/parser/code.php
@@ -16,11 +16,12 @@ class Doku_Renderer_code extends Doku_Renderer {
      * When the correct block was found it exits the script.
      */
     function code($text, $language = NULL, $filename='' ) {
+        global $INPUT;
         if(!$language) $language = 'txt';
         if(!$filename) $filename = 'snippet.'.$language;
         $filename = basename($filename);
 
-        if($this->_codeblock == $_REQUEST['codeblock']){
+        if($this->_codeblock == $INPUT->str('codeblock')){
             header("Content-Type: text/plain; charset=utf-8");
             header("Content-Disposition: attachment; filename=$filename");
             header("X-Robots-Tag: noindex");
-- 
cgit v1.2.3


From 361f1762edc347181a45a66ba541ba8f144552c0 Mon Sep 17 00:00:00 2001
From: Tom N Harris <tnharris@whoopdedo.org>
Date: Fri, 29 Jun 2012 00:03:16 -0400
Subject: fix necessary global declaration

---
 lib/exe/mediamanager.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/exe/mediamanager.php b/lib/exe/mediamanager.php
index 83166a2f4..04dd178cc 100644
--- a/lib/exe/mediamanager.php
+++ b/lib/exe/mediamanager.php
@@ -10,6 +10,7 @@
     trigger_event('MEDIAMANAGER_STARTED',$tmp=array());
     session_write_close();  //close session
 
+    global $INPUT;
     // handle passed message
     if($INPUT->str('msg1')) msg(hsc($INPUT->str('msg1')),1);
     if($INPUT->str('err')) msg(hsc($INPUT->str('err')),-1);
-- 
cgit v1.2.3


From 36d61a2c62ee2c4198229406af6aa91b14bf6125 Mon Sep 17 00:00:00 2001
From: Tom N Harris <tnharris@whoopdedo.org>
Date: Fri, 29 Jun 2012 00:04:38 -0400
Subject: fix incorrect usage of tpl_getMediaFile

---
 feed.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/feed.php b/feed.php
index 09a204fe2..906f8e7bb 100644
--- a/feed.php
+++ b/feed.php
@@ -53,7 +53,7 @@ $rss->cssStyleSheet  = DOKU_URL.'lib/exe/css.php?s=feed';
 
 $image        = new FeedImage();
 $image->title = $conf['title'];
-$image->url   = tpl_getMediaFile('favicon.ico', true);
+$image->url   = tpl_getMediaFile(array(':wiki:favicon.ico', ':favicon.ico', 'images/favicon.ico'), true);
 $image->link  = DOKU_URL;
 $rss->image   = $image;
 
-- 
cgit v1.2.3