Index: openacs-4/packages/xotcl-core/tcl/context-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xotcl-core/tcl/context-procs.tcl,v
diff -u -r1.78 -r1.79
--- openacs-4/packages/xotcl-core/tcl/context-procs.tcl	8 Oct 2024 15:09:25 -0000	1.78
+++ openacs-4/packages/xotcl-core/tcl/context-procs.tcl	16 Oct 2024 09:21:22 -0000	1.79
@@ -720,17 +720,20 @@
 
   ad_proc -private ::xo::update_query_variable {old_query var value} {
 
-     Replace in a URL-query old occurrences of var with new value.
+    Replace in a URL-query old occurrences of var with new value.
 
-     @return pairs in a form suitable for export_vars
-   } {
+    @return pairs in a form suitable for export_vars
+  } {
     set query [list [list $var $value]]
     foreach {key value} [ns_set array [ns_parsequery $old_query]] {
-      if {$key eq $var} continue
+      if {$key eq $var
+          || [::util::suspicious_query_variable -proc xo::update_query $key $value]} {
+        continue
+      }
       lappend query [list $key $value]
     }
     return $query
-   }
+  }
 
   ad_proc -private ::xo::update_query {old_query var value} {
 
@@ -745,7 +748,10 @@
 
     if {$old_query ne ""} {
       foreach {key value} [ns_set array [ns_parsequery $old_query]] {
-        if {$key eq $var} continue
+        if {$key eq $var
+            || [::util::suspicious_query_variable -proc xo::update_query $key $value]} {
+          continue
+        }
         append query &[{*}$encodeCmd $key]=[{*}$encodeCmd $value]
       }
     }