Better handle other URL separator than & (bug #1487365).

ChangeLog

@@ -7,6 +7,8 @@ $Source$
 
 2006-05-12 Michal Čihař  <michal@cihar.com>
     * libraries/footer.inc.php: Escape user input to avoid XSS.
+    * libraries/common.lib.php, libraries/url_generating.lib.php: Better
+      handle other URL separator than & (bug #1487365).
 
 2006-05-06 Michal Čihař  <michal@cihar.com>
     * Documentation.html: Describe better regullar expressions in hide_db

libraries/common.lib.php

@@ -1088,16 +1088,7 @@ if (!defined('PMA_MINIMUM_COMMON')) {
                 if (strpos($uri, '?') === false) {
                     header('Location: ' . $uri . '?' . SID);
                 } else {
-                    // use seperators defined by php, but prefer ';'
-                    // as recommended by W3C
-                    $php_arg_separator_input = ini_get('arg_separator.input');
-                    if (strpos($php_arg_separator_input, ';') !== false) {
-                        $separator = ';';
-                    } elseif (strlen($php_arg_separator_input) > 0) {
-                        $separator = $php_arg_separator_input{0};
-                    } else {
-                        $separator = '&';
-                    }
+                    $separator = PMA_get_arg_separator();
                     header('Location: ' . $uri . $separator . SID);
                 }
             } else {
@@ -2060,9 +2051,10 @@ window.parent.updateTableTitle('<?php echo $uni_tbl; ?>', '<?php echo PMA_jsForm
             if (empty($tag_params['class'])) {
                 $tag_params['class'] = 'link';
             }
-            $url         = str_replace('&amp;', '&', $url);
+            $separator   = PMA_get_arg_separator();
+            $url         = str_replace(htmlentities($separator), $separator, $url);
             $url_parts   = parse_url($url);
-            $query_parts = explode('&', $url_parts['query']);
+            $query_parts = explode($separator, $url_parts['query']);
             if ($new_form) {
                 $ret = '<form action="' . $url_parts['path'] . '" class="link"'
                      . ' method="post"' . $target . ' style="display: inline;">';

libraries/url_generating.lib.php

@@ -155,14 +155,7 @@ function PMA_generate_common_url ($db = '', $table = '', $delim = '&')
 
     // use seperators defined by php, but prefer ';'
     // as recommended by W3C
-    $php_arg_separator_input = ini_get('arg_separator.input');
-    if (strpos($php_arg_separator_input, ';') !== false) {
-        $separator = ';';
-    } elseif (strlen($php_arg_separator_input) > 0) {
-        $separator = $php_arg_separator_input{0};
-    } else {
-        $separator = '&';
-    }
+    $separator = PMA_get_arg_separator();
 
     // check wether to htmlentity the separator or not
     if ($delim === '&') {
@@ -203,4 +196,26 @@ function PMA_generate_common_url ($db = '', $table = '', $delim = '&')
     return $questionmark . implode($delim, $param_strings);
 }
 
+/**
+ * Returns url separator
+ *
+ * @return  string   character used for separating url parts
+ *
+ * @access  public
+ *
+ * @author  nijel
+ */
+function PMA_get_arg_separator() {
+    // use seperators defined by php, but prefer ';'
+    // as recommended by W3C
+    $php_arg_separator_input = ini_get('arg_separator.input');
+    if (strpos($php_arg_separator_input, ';') !== false) {
+        return ';';
+    } elseif (strlen($php_arg_separator_input) > 0) {
+        return $php_arg_separator_input{0};
+    } else {
+        return '&';
+    }
+}
+
 ?>