From 7d3bb21608d18c83945a5aa67e2a234035481b68 Mon Sep 17 00:00:00 2001
From: Osma Suominen <osma.suominen@helsinki.fi>
Date: Mon, 8 Jan 2024 14:37:11 +0200
Subject: [PATCH 1/2] don't perform HTML escaping for server constants to avoid
 breaking alphabetical index for diacritics

---
 model/Request.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/model/Request.php b/model/Request.php
index ea5de02d8..e492871a8 100644
--- a/model/Request.php
+++ b/model/Request.php
@@ -146,7 +146,7 @@ public function getQueryParamBoolean($paramName, $default)
     public function getServerConstant($paramName)
     {
         if (!isset($this->serverConstants[$paramName])) return null;
-        return filter_var($this->serverConstants[$paramName], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
+        return filter_var($this->serverConstants[$paramName], FILTER_SANITIZE_ADD_SLASHES);
     }
 
     public function getCookie($paramName)

From 9d8511f464bc94f7c8050ebb2f0ed49ad92bd60b Mon Sep 17 00:00:00 2001
From: Osma Suominen <osma.suominen@helsinki.fi>
Date: Mon, 8 Jan 2024 15:00:19 +0200
Subject: [PATCH 2/2] add unit tests for server constant sanitizing

---
 tests/RequestTest.php | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/tests/RequestTest.php b/tests/RequestTest.php
index 1f5ff4d88..fc249e1e8 100644
--- a/tests/RequestTest.php
+++ b/tests/RequestTest.php
@@ -274,4 +274,31 @@ public function testGetLangUrlSanitizeSpecialChars() {
     $this->assertEquals("http//example.com", $langurl);
   }
 
+  /**
+   * @covers Request::getServerConstant
+   */
+  public function testGetServerConstant() {
+    $this->request->setServerConstant('PATH_INFO', '/myvocab/index/X');
+    $path_info = $this->request->getServerConstant('PATH_INFO');
+    $this->assertEquals('/myvocab/index/X', $path_info);
+  }
+
+  /**
+   * @covers Request::getServerConstant
+   */
+  public function testGetServerConstantDiacriticNotEncoded() {
+    $this->request->setServerConstant('PATH_INFO', '/myvocab/index/Ä');
+    $path_info = $this->request->getServerConstant('PATH_INFO');
+    $this->assertEquals('/myvocab/index/Ä', $path_info);
+  }
+
+  /**
+   * @covers Request::getServerConstant
+   */
+  public function testGetServerConstantQuoteIsEncoded() {
+    $this->request->setServerConstant('PATH_INFO', "/myvocab/index/'");
+    $path_info = $this->request->getServerConstant('PATH_INFO');
+    $this->assertEquals("/myvocab/index/\'", $path_info);
+  }
+
 }