RhubarbPHP · mballantinegcd · May 20, 2024 · May 23, 2024 · May 27, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Change log
 
+### 1.7.8
+
+* Updated: Requests containing URL parameters are now sanitised to prevent XSS attacks
+
 ### 1.7.7
 * Fixed: More deprecated required parameter follows optional parameter warnings
 

diff --git a/src/UrlHandlers/UrlHandler.php b/src/UrlHandlers/UrlHandler.php
@@ -266,6 +266,11 @@ protected function getAbsoluteHandledUrl()
         return $request->server("REQUEST_SCHEME") . "://" . $request->server("SERVER_NAME") . $this->handledUrl;
     }
 
+    private function sanitizeRequest($request) {
+        $request->uri = htmlspecialchars($request->uri);
+        return $request;
+    }
+
     /**
      * Return the response when appropriate or false if no response could be generated.
      *
@@ -277,6 +282,10 @@ protected function getAbsoluteHandledUrl()
      */
     public function generateResponse($request = null, $currentUrlFragment = false)
     {
+        if ($request !== null) {
+            $request = $this->sanitizeRequest($request);
+        }
+
         if ($currentUrlFragment === false) {
             $currentUrlFragment = $request->urlPath;
         }