Limit reading of GET parameters to lang and filter that strictly.

2.6-release-tour.phtml

@@ -3,7 +3,6 @@ include("lang.php");
 $title = T_("GnuCash 2.6 release tour");
 $description = T_("This tour will introduce you to new major features in <span class=\"gnucash\">GnuCash</span> 2.6.");
 $page = basename($_SERVER['SCRIPT_NAME']);
-include("emulate_globals_on.php");
 include("$top_dir/externals/header.phtml");
 include("$top_dir/externals/menu.phtml");
 ?>

develdocs.phtml

@@ -1,5 +1,4 @@
 <?php 
-include("emulate_globals_on.php");
 include("lang.php");
 $title = T_("Writing Documentation");
 $description = T_("If you are interested in improving the <span class=\"gnucash\">GnuCash</span> documentation, you have come to the right place. This page will provide you with the necessary information to get started.");

docs.phtml

@@ -14,7 +14,6 @@
   $pdf = T_("Download documentation as PDF");
   $epub = T_("Download documentation as epub");
   $mobi = T_("Download documentation as mobipocket");
-  include("emulate_globals_on.php");
   include("externals/header.phtml");
   include("externals/menu.phtml");
 ?>

donate.phtml

@@ -1,5 +1,4 @@
 <?php
-  include ("emulate_globals_on.php");
   include ("lang.php");
   $title = T_ ( "Donations" );
   $description = T_("<span class=\"gnucash\">GnuCash</span> is Free Software and is made available free of charge. Your donation, which is purely optional, supports our worldwide community. If you like the software, please consider a donation. We are only a handfull of developers and other volunteers serving countless users worldwide.");

download.phtml

@@ -1,6 +1,5 @@
 <?php 
   $homepage = false;
-  include("emulate_globals_on.php");
   include("lang.php");
   $title = T_("Download");
   $description = T_("Download executable bundles of the <span class=\"gnucash\">GnuCash</span> program inclusive documentation or the source files here. Several versions are available for recent and older operating systems.");

externals/header.phtml

@@ -12,22 +12,28 @@
   $full_title = $title." | GnuCash";
   if (!isset($description)) {
       $description = $default_description;
-  };
+   }
 
   # This function will create a link to the given page
   # reusing the get parameters that were specified
   # with the option to override the language
-  function make_lang_href($page, $get_parms, $lang)
+  function make_lang_href($page, $get_parms, $lang="")
   {
       if (isset($lang) && $lang != "") {
           $get_parms["lang"] = $lang;
       }
-      $url_get_query = http_build_query($get_parms);
-      $lang_href = "$page"."?"."$url_get_query";
+      if (in_array($get_parms["lang"], array_values($GLOBALS["supported_languages"]), TRUE) ||
+           array_key_exists($get_parms["lang"], $GLOBALS["supported_languages"])) {
+          $url_get_query = http_build_query($get_parms);
+          $lang_href = "$page"."?"."$url_get_query";
+      } else {
+          $lang_href = "$page";
+      }
       return $lang_href;
   }
-
-  $get_parms = $_GET;
+
+   $input_filter_args = array('lang' => FILTER_SANITIZE_STRING);
+  $get_parms = filter_input_array(INPUT_GET, $input_filter_args);
 
   if (isset($locale)) {
       if (substr($locale, 0, 2) != 'zh') {
@@ -63,7 +69,7 @@
     ?>
     <meta property="og:title" content="<?=$full_title?>"/>
     <meta property="og:type" content="website"/>
-    <meta property="og:url" content="<?=\DEFAULT_URL.filter_var($page, FILTER_SANITIZE_URL)?>"/>
+    <meta property="og:url" content="<?=\DEFAULT_URL.make_lang_href($page, $get_parms)?>"/>
     <meta property="og:image" content="<?=\DEFAULT_URL."externals/logo_w120.png"?>"/>
     <meta property="og:site_name" content="GnuCash"/>
     <meta property="og:description" content="<?=strip_tags($description)?>"/>

features.phtml

@@ -1,5 +1,4 @@
 <?php
-  include("emulate_globals_on.php");
   include("lang.php");
   $title = T_("Features");
   $description = T_("<span class=\"gnucash\">GnuCash</span> is powerful accounting software. Below are details of some of the numerous features that <span class=\"gnucash\">GnuCash</span> has to offer to its users.");

index.phtml

@@ -1,6 +1,5 @@
 <?php
 $homepage = true;
-include ("emulate_globals_on.php");
 include ("lang.php");
 $page = basename($_SERVER['SCRIPT_NAME']);
 // ^ alternate: __FILE__;

lang.php

@@ -21,7 +21,9 @@
 }
 
 # allow user override.
-if (array_key_exists('lang', $_GET)) { $locale = $_GET["lang"]; }
+$get_lang = filter_input(INPUT_GET, 'lang', FILTER_SANITIZE_STRING);
+
+if ($get_lang) { $locale = $get_lang; }
 
 # choose a default language based on the client browser's preferred
 # language list

new_features-4.0.phtml

@@ -1,5 +1,4 @@
 <?php
-  include("emulate_globals_on.php");
   include("lang.php");
   $title = T_("Features");;
   $description = sprintf (T_("What's New in GnuCash %s"),"4.0");

news.phtml

@@ -1,5 +1,4 @@
 <?php 
-include("emulate_globals_on.php");
 include("lang.php");
 $title = T_("News");
 $description = T_("Announcement of New Releases, Server Maintenance …");

oldnews.phtml

@@ -1,5 +1,4 @@
 <?php 
-include("emulate_globals_on.php");
 include("lang.php");
 $title = T_("Older Announcements");
 $description = T_("This is an archive of announcements that once appeared on the GnuCash home page.");

sizing.phtml

@@ -1,5 +1,4 @@
 <?php
-include("emulate_globals_on.php");
 include("lang.php");
 $title = T_("Sizing");
 $description = T_("This is an ancient page about Gnucash's code size.");

viewdoc.phtml

@@ -4,7 +4,6 @@
 # - help or guide (doc)
 # - doc version (rev)
 
-include("emulate_globals_on.php");
 include("lang.php");
 // Fixme: It is not trivial to reorder the components to get proper metatags
 $title = T_("View document");