calendar xss take 4

interface/main/calendar/includes/pnMod.php

@@ -688,18 +688,17 @@ function pnModURL($modname, $type = 'user', $func = 'main', $args = array(), $pa
         foreach ($args as $k => $v) {
             if (is_array($v)) {
                 foreach ($v as $l => $w) {
-                    $url .= "&$k" . "[$l]=$w";
+                    $url .= "&" . attr($k) . "[" . attr($l) . "]=" . attr($w);
                 }
             } else {
-                $url .= "&$k=$v";
+                $url .= "&" . attr($k) . "=" . attr($v);
             }
         }
     }
 
     //remove characters not belonging in a path, prevent possible injection
     //this may break windows path accesses?
-    $path = preg_replace("/[^\.\/a-zA-Z0-9]/", "", $path)
-    ;
+    $path = preg_replace("/[^\.\/a-zA-Z0-9]/", "", $path);
 
     // The URL
     $final_url = pnGetBaseURL() . $path . $url;