make sure params are strings for manual-lookup.php (bug #61756)

salathe · salathe · commit ee6c0e89afea · 2012-04-17T22:36:09.000+01:00
diff --git a/include/langchooser.inc b/include/langchooser.inc
@@ -50,7 +50,7 @@ function language_choose_code()
     $explicitly_specified = ''; $selected = '';
     
     // Specified for the request (GET/POST parameter)
-    if (!empty($_REQUEST['lang'])) {
+    if (!empty($_REQUEST['lang']) && is_string($_REQUEST['lang'])) {
         $explicitly_specified = language_add(htmlspecialchars($_REQUEST['lang'], ENT_QUOTES, 'UTF-8'), $languages);
 
         // Set the language in a cookie for a year
diff --git a/manual-lookup.php b/manual-lookup.php
@@ -8,15 +8,13 @@
 // BC code, so pattern and function can both be used as
 // parameters to specify the function name
 $function = '';
-if (empty($_GET['function'])) {
-    if (!empty($_GET['pattern'])) {
-        $function = htmlspecialchars($_GET['pattern'], ENT_QUOTES, 'UTF-8');
-    }
-} else {
+if (!empty($_GET['function']) && is_string($_GET['function'])) {
     $function = htmlspecialchars($_GET['function'], ENT_QUOTES, 'UTF-8');
+} elseif (!empty($_GET['pattern']) && is_string($_GET['pattern'])) {
+    $function = htmlspecialchars($_GET['pattern'], ENT_QUOTES, 'UTF-8');
 }
 
-if(!empty($_GET['scope'])) {
+if(!empty($_GET['scope']) && is_string($_GET['scope'])) {
 	$scope = htmlspecialchars($_GET['scope'], ENT_QUOTES, 'UTF-8');
 } else {
 	$scope = '';
