Avoid use of "$_SERVER['REQUEST_URI']"

Use the routing library to build proper URIs instead of relying on the
"REQUEST_URI" server variable which can be manipulated and might return
bogus URIs.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

2 files changed, 3 insertions, 3 deletions

diff --git a/web/html/login.php b/web/html/login.php
index d5bb1e7..9b3715b 100644
--- a/web/html/login.php
+++ b/web/html/login.php
@@ -20,7 +20,7 @@ html_header('AUR ' . __("Login"));
 		<a href="<?php get_uri('/logout/'); ?>">[<?= __("Logout"); ?>]</a>
 	</p>
 	<?php elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])): ?>
-	<form method="post" action="<?= htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) ?>">
+	<form method="post" action="<?= get_uri('/login') ?>">
 		<fieldset>
 			<legend><?= __('Enter login credentials') ?></legend>
 			<?php if (!empty($login_error)): ?>
@@ -47,7 +47,7 @@ html_header('AUR ' . __("Login"));
 	<?php else: ?>
 	<p>
 		<?php printf(__("HTTP login is disabled. Please %sswitch to HTTPs%s if you want to login."),
-			'<a href="' . $AUR_LOCATION . htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) . '">', '</a>'); ?>
+			'<a href="' . $AUR_LOCATION . get_uri('/login') . '">', '</a>'); ?>
 	</p>
 	<?php endif; ?>
 </div>
diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php
index da871ec..8e74fe6 100644
--- a/web/template/pkg_comment_form.php
+++ b/web/template/pkg_comment_form.php
@@ -1,6 +1,6 @@
 <div id="generic-form" class="box">
 	<h2><?= __("Add Comment"); ?></h2>
-	<form action="<?= $_SERVER['REQUEST_URI'] ?>" method="post">
+	<form action="<?= get_pkg_uri($row['Name']) ?>" method="post">
 		<fieldset>
 <?php
 if (isset($_REQUEST['comment']) && check_token()) {