#33 xajax.inc.php possible defect - XSS

[manful]

Hi,

xajax 0.5 standard / xajax_core / xajax.inc.php

Here you are cleaning request URI from html tags:
Line 836:
Code: PHP
$_SERVER['REQUEST_URI'] = str_replace(
array('"',"'",'<','>'),
array('%22','%27','%3C','%3E'),
$_SERVER['REQUEST_URI']
);
$aURL = parse_url($_SERVER['REQUEST_URI']);

but if parse_url() fail to return array struct to $aURL (there are some XSS technique that can do that ) You are filling detectURI with:
line 901:
Code: PHP
if (empty($aURL['query']) && !empty($_SERVER['QUERY_STRING'])) {
$aURL['query'] = $_SERVER['QUERY_STRING'];
}

without any HTML tags filtering.

So if you are trust _detectURI function that is clean from XSS code it can surprise you after parse_url() fail.

You should add str_replace(..) to $_SERVER['QUERY_STRING'] in the same way like in $_SERVER['REQUEST_URI'].