From d1f1d8ade7ab98bde70451874c94bb35584f9192 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Tue, 19 Apr 2011 14:10:23 +0200 Subject: [PATCH] [ticket/9802] Remove unnecessary htmlspecialchars() call on REMOTE_ADDR. The value in $_SERVER['REMOTE_ADDR'] is either validated to be a valid IP address or is replaced by our default value. Valid IP addresses do not contain HTML special characters, thus the htmlspecialchars() call is unnecessary. PHPBB3-9802 --- phpBB/includes/session.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index b2772696f1..79d94e7780 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -267,7 +267,7 @@ class session // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip. - $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : ''; + $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : ''; $this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip)); // split the list of IPs