fix: remove redundant sanitize_uri() on already-sanitized HTTP_REFERER

global.php:582 applies sanitize_uri() to $_SERVER['HTTP_REFERER'] on
every request. Calling it again in link.php causes a second urldecode()
pass, which can alter valid percent-encoded characters. Use the
pre-sanitized value directly; the external-host guard remains.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

Author: somethingwithproof

link.php

@@ -33,16 +33,18 @@
 // Prevent redirect loops
 if (isset($_SERVER['HTTP_REFERER'])) {
 	if (!str_contains($_SERVER['HTTP_REFERER'], 'link.php')) {
-		$raw                      = sanitize_uri($_SERVER['HTTP_REFERER']);
+		/* include/global.php already applied sanitize_uri() to HTTP_REFERER;
+		 * reject external hosts to prevent open-redirect via Referer. */
+		$raw                      = $_SERVER['HTTP_REFERER'];
 		$referer                  = (parse_url($raw, PHP_URL_HOST) === null || parse_url($raw, PHP_URL_HOST) === $_SERVER['HTTP_HOST']) ? $raw : 'index.php';
 		$_SESSION['link_referer'] = $referer;
 	} elseif (isset($_SESSION['link_referer'])) {
-		$referer = sanitize_uri($_SESSION['link_referer']);
+		$referer = $_SESSION['link_referer'];
 	} else {
 		$referer = 'index.php';
 	}
 } elseif (isset($_SESSION['link_referer'])) {
-	$referer = sanitize_uri($_SESSION['link_referer']);
+	$referer = $_SESSION['link_referer'];
 } else {
 	$referer = 'index.php';
 }