From e6532439d68234d86176e4d967609d68dd564c1d Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Sun, 3 Dec 2017 23:35:38 +0300
Subject: force strip_tags() on all user input unless explicitly allowed

---
 include/functions.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'include/functions.php')

diff --git a/include/functions.php b/include/functions.php
index 417abfbb8..0fd8ef61a 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -725,6 +725,17 @@
 		}
 	}
 
+	// this is used for user http parameters unless HTML code is actually needed
+	function clean($param) {
+		if (is_array($param)) {
+			return array_map(strip_tags, $param);
+		} else if (is_string($param)) {
+			return strip_tags($param);
+		} else {
+			return $param;
+		}
+	}
+
 	function make_password($length = 8) {
 
 		$password = "";
-- 
cgit v1.2.3-54-g00ecf