Index: branches/5.2.x/core/kernel/db/db_event_handler.php
===================================================================
diff -u -N -r16779 -r16781
--- branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 16779)
+++ branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 16781)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: db_event_handler.php 16779 2023-11-22 09:14:46Z alex $
+* @version	$Id: db_event_handler.php 16781 2024-01-04 10:58:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -900,18 +900,33 @@
 			// get PerPage (forced -> session -> config -> 10)
 			$object->SetPerPage($this->getPerPage($event));
 
-			// main lists on Front-End have special get parameter for page
-			$page = $object->isMainList() ? $this->Application->GetVar('page') : false;
+			// Main lists on Front-End have special get parameter for page.
+			if ( $object->isMainList() ) {
+				$page = $this->Application->GetVarFiltered('page', false, FILTER_VALIDATE_INT);
+			}
+			else {
+				$page = false;
+			}
 
 			if ( !$page ) {
-				// page is given in "env" variable for given prefix
-				$page = $this->Application->GetVar($event->getPrefixSpecial() . '_Page');
+				// Page is given in "env" variable for given prefix.
+				$page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial() . '_Page',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$page && $event->Special ) {
-				// when not part of env, then variables like "prefix.special_Page" are
-				// replaced (by PHP) with "prefix_special_Page", so check for that too
-				$page = $this->Application->GetVar($event->getPrefixSpecial(true) . '_Page');
+				/*
+				 * When not part of env, then variables like "prefix.special_Page" are
+				 * replaced (by PHP) with "prefix_special_Page", so check for that too.
+				 */
+				$page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial(true) . '_Page',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$object->isMainList() ) {
@@ -978,19 +993,33 @@
 			}
 
 			if ( !$per_page && $object->isMainList() ) {
-				// main lists on Front-End have special get parameter for per-page
-				$per_page = $this->Application->GetVar('per_page');
+				// Main lists on Front-End have special get parameter for per-page.
+				$per_page = $this->Application->GetVarFiltered(
+					'per_page',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$per_page ) {
-				// per-page is given in "env" variable for given prefix
-				$per_page = $this->Application->GetVar($event->getPrefixSpecial() . '_PerPage');
+				// Per-page is given in "env" variable for given prefix.
+				$per_page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial() . '_PerPage',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$per_page && $event->Special ) {
-				// when not part of env, then variables like "prefix.special_PerPage" are
-				// replaced (by PHP) with "prefix_special_PerPage", so check for that too
-				$per_page = $this->Application->GetVar($event->getPrefixSpecial(true) . '_PerPage');
+				/*
+				 * When not part of env, then variables like "prefix.special_PerPage" are
+				 * replaced (by PHP) with "prefix_special_PerPage", so check for that too.
+				 */
+				$per_page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial(true) . '_PerPage',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$object->isMainList() ) {
@@ -1041,7 +1070,12 @@
 			$object = $event->getObject();
 
 			if ( $object->isMainList() ) {
-				$sort_by = $this->Application->GetVar('sort_by');
+				$sort_by = $this->Application->GetVarFiltered(
+					'sort_by',
+					false,
+					FILTER_CALLBACK,
+					array('options' => array($this, 'sortByFilterCallback'))
+				);
 				$cur_sort1 = $cur_sort1_dir = $cur_sort2 = $cur_sort2_dir = false;
 
 				if ( $sort_by ) {
@@ -1118,6 +1152,29 @@
 		}
 
 		/**
+		 * Filters the "sort_by" request variable.
+		 *
+		 * @param string|boolean $value Value.
+		 *
+		 * @return string|boolean
+		 */
+		public function sortByFilterCallback($value)
+		{
+			if ( !$value ) {
+				return false;
+			}
+
+			$sortings = array_filter(
+				explode('|', $value),
+				function ($sorting) {
+					return preg_match('/^[a-z_][a-z0-9_]*,(asc|desc)$/i', $sorting);
+				}
+			);
+
+			return $sortings ? implode('|', $sortings) : false;
+		}
+
+		/**
 		 * Returns default list sortings
 		 *
 		 * @param kEvent $event