X-Git-Url: https://delta.frontaccounting.com/gitweb/?a=blobdiff_plain;f=includes%2Fsession.inc;h=9a93a5311fa57cdfc9194d446f61a38c6ef5ea7d;hb=42c0611bc3c12d662001b2e13701e8ad6784bafa;hp=d747888ac84ee242f2208766508359e3593ef508;hpb=bac6bc5d595dab716bb3c65e451e81d724b8de2d;p=fa-stable.git

diff --git a/includes/session.inc b/includes/session.inc
index d747888a..9a93a531 100644
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -238,6 +238,10 @@ set_error_handler('error_handler' /*, errtypes */);
 if (!isset($_SESSION["wa_current_user"]))
 	$_SESSION["wa_current_user"] = new current_user();
 
+html_cleanup($_GET);
+html_cleanup($_POST);
+html_cleanup($_REQUEST);
+
 // logout.php is the only page we should have always 
 // accessable regardless of access level and current login status.
 if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
@@ -251,7 +255,7 @@ if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 		{
 			// strip ajax marker from uri, to force synchronous page reload
 			$_SESSION['timeout'] = array( 'uri'=>preg_replace('/JsHttpRequest=(?:(\d+)-)?([^&]+)/s',
-					'', @$_SERVER['REQUEST_URI']), 
+					'', @htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES, $_SESSION['language']->encoding)), 
 				'post' => $_POST);
 
 			include($path_to_root . "/access/login.php");
@@ -291,6 +295,4 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 // We quote all values later with db_escape() before db update.
 $_POST = strip_quotes($_POST);
 
-html_cleanup($_GET);
-html_cleanup($_POST);
 ?>
\ No newline at end of file