diff --git a/core/timeline_inc.php b/core/timeline_inc.php index 4de924c8d0..f8db3e6b5b 100644 --- a/core/timeline_inc.php +++ b/core/timeline_inc.php @@ -47,6 +47,18 @@ $t_block_icon = $t_collapse_block ? 'fa-chevron-down' : 'fa-chevron-up'; $t_url_page = string_sanitize_url( basename( $_SERVER['SCRIPT_NAME'] ) ); +# Timeline shows shows next/prev buttons that reload the page with new timeline parameters +# we must preserve parent script query parameters +$t_url_params = array(); +if( !empty( $_GET ) ) { + # Sanitize request values to avoid xss + foreach( $_GET as $t_key => $t_value ) { + $t_url_params[$t_key] = htmlspecialchars( $t_value ); + } +} +# clear timeline own parameters, which will be added later as needed +unset( $t_url_params['days'] ); +unset( $t_url_params['all'] ); ?>
@@ -74,14 +86,14 @@ echo '  '; echo '
'; - $t_url_params = array( 'days' => $f_days + 7 ); + $t_url_params['days'] = $f_days + 7; $t_href = $t_url_page . '?' . http_build_query( $t_url_params ); echo ' ' . lang_get( 'prev' ) . ''; $t_next_days = max( $f_days - 7, 0 ); if( $t_next_days != $f_days ) { - $t_url_params = array( 'days' => $t_next_days ); + $t_url_params['days'] = $t_next_days; $t_href = $t_url_page . '?' . http_build_query( $t_url_params ); echo ' ' . lang_get( 'next' ) . ''; } @@ -101,10 +113,8 @@ timeline_print_events( $t_events ); echo '
'; echo '
'; - $t_url_params = array( - 'days' => $f_days, - 'all' => 1, - ); + $t_url_params['days'] = $f_days; + $t_url_params['all'] = 1; $t_href = $t_url_page . '?' . http_build_query( $t_url_params ); echo '' . lang_get( 'timeline_more' ) . ''; echo '
';