convert special chars to avoid xss

image.php

@@ -4,7 +4,7 @@
     $loc = "US";
 
     if( isset( $_GET['loc'] ) ) {
-        $loc = strtoupper($_GET["loc"]);
+        $loc = urlencode(strtoupper($_GET["loc"]));
     }
 
     //get the image url
@@ -38,9 +38,9 @@
  </head>
  <body">
     <small><a href="<?php echo $_SERVER['HTTP_REFERER'] . '?loc=' . strtoupper($loc) ?>">< Back to article</a></small>
-    <p><small><b>Viewing image:</b> <?php echo $url ?></small></p>
-    <img src="/image_compressed.php?i=<?php echo $url; ?>">
+    <p><small><b>Viewing image:</b> <?php echo htmlspecialchars($url, ENT_QUOTES, 'UTF-8') ?></small></p>
+    <img src="/image_compressed.php?i=<?php echo urlencode($url); ?>">
     <br><br>
     <small><a href="<?php echo $_SERVER['HTTP_REFERER'] . '?loc=' . strtoupper($loc) ?>">< Back to article</a></small>
  </body>
- </html>
+ </html>

index.php

@@ -67,12 +67,12 @@ function clean_str($str) {
 <?php if($show_results) { // there's a search query in q, so show search results ?>
 
     <form action="/" method="get">
-    <a href="/"><font size=6 color="#008000">Frog</font><font size=6 color="#000000">Find!</font></a> Leap again: <input type="text" size="30" name="q" value="<?php echo urldecode($query) ?>">
+    <a href="/"><font size=6 color="#008000">Frog</font><font size=6 color="#000000">Find!</font></a> Leap again: <input type="text" size="30" name="q" value="<?php echo htmlspecialchars(urldecode($query), ENT_QUOTES, 'UTF-8') ?>">
     <input type="submit" value="Ribbbit!">
     </form>
     <hr>
     <br>
-    <center>Search Results for <b><?php echo strip_tags(urldecode($query)) ?></b></center>
+    <center>Search Results for <b><?php echo htmlspecialchars(urldecode($query), ENT_QUOTES, 'UTF-8') ?></b></center>
     <br>
     <?php echo $final_result_html ?>
 
@@ -94,4 +94,4 @@ function clean_str($str) {
 <?php } ?>
 
 </body>
-</html>
+</html>

read.php

@@ -7,7 +7,7 @@
 $loc = "US";
 
 if( isset( $_GET['loc'] ) ) {
-    $loc = strtoupper($_GET["loc"]);
+    $loc = urlencode(strtoupper($_GET["loc"]));
 }
 
 if( isset( $_GET['a'] ) ) {
@@ -74,7 +74,7 @@ function clean_str($str) {
  <body>
     <p>
         <form action="/read.php" method="get">
-        <a href="/">Back to <b><font color="#008000">Frog</font><font color="000000">Find!</font></a></b> | Browsing URL: <input type="text" size="38" name="a" value="<?php echo $article_url ?>">
+        <a href="/">Back to <b><font color="#008000">Frog</font><font color="000000">Find!</font></a></b> | Browsing URL: <input type="text" size="38" name="a" value="<?php echo htmlspecialchars($article_url, ENT_QUOTES, 'UTF-8') ?>">
         <input type="submit" value="Go!">
         </form>
     </p>
@@ -97,4 +97,4 @@ function clean_str($str) {
     <?php if($error_text) { echo "<p><font color='red'>" . $error_text . "</font></p>"; } ?>
     <p><font size="4"><?php echo $readable_article;?></font></p>
  </body>
- </html>
+ </html>