init.php: encode less: only specialchars are ancoded + ampersand in QUERY_STRING and REQUEST_URI is /not/ encoded (otherwise parameter separation is broken)

1 files changed, 9 insertions, 3 deletions

diff --git a/init.php b/init.php
index 1a978ff..993723e 100644
--- a/init.php
+++ b/init.php
@@ -6,14 +6,20 @@ while ($old != $_SERVER['QUERY_STRING']) {
   $old = $_SERVER['QUERY_STRING'];
   $_SERVER['QUERY_STRING'] = urldecode($_SERVER['QUERY_STRING']);
 }
-$_SERVER['QUERY_STRING'] = htmlentities($_SERVER['QUERY_STRING']);
+$_SERVER['QUERY_STRING'] =
+  str_replace('&', '&',
+    htmlspecialchars($_SERVER['QUERY_STRING'])
+  );
 
 $old = '';
 while ($old != $_SERVER['REQUEST_URI']) {
   $old = $_SERVER['REQUEST_URI'];
   $_SERVER['REQUEST_URI'] = urldecode($_SERVER['REQUEST_URI']);
 }
-$_SERVER['REQUEST_URI'] = htmlentities($_SERVER['REQUEST_URI']);
+$_SERVER['REQUEST_URI'] =
+  str_replace('&', '&',
+    htmlspecialchars($_SERVER['REQUEST_URI'])
+  );
 
 foreach ($_GET as $key => $val) {
   $old = '';
@@ -21,5 +27,5 @@ foreach ($_GET as $key => $val) {
     $old = $_GET[$key];
     $_GET[$key] = urldecode($_GET[$key]);
   }
-  $_GET[$key] = htmlentities($_GET[$key]);
+  $_GET[$key] = htmlspecialchars($_GET[$key]);
 }