Index: branches/5.2.x/core/units/categories/categories_event_handler.php
===================================================================
diff -u -N -r16713 -r16781
--- branches/5.2.x/core/units/categories/categories_event_handler.php	(.../categories_event_handler.php)	(revision 16713)
+++ branches/5.2.x/core/units/categories/categories_event_handler.php	(.../categories_event_handler.php)	(revision 16781)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: categories_event_handler.php 16713 2022-07-19 11:00:49Z alex $
+* @version	$Id: categories_event_handler.php 16781 2024-01-04 10:58:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -1615,7 +1615,7 @@
 				$page_var = $event->getEventParam('page_var');
 
 				if ( $page_var !== false ) {
-					$page = $this->Application->GetVar($page_var);
+					$page = $this->Application->GetVarFiltered($page_var, false, FILTER_VALIDATE_INT);
 
 					if ( is_numeric($page) ) {
 						/** @var kDBList $object */
Index: branches/5.2.x/core/kernel/application.php
===================================================================
diff -u -N -r16772 -r16781
--- branches/5.2.x/core/kernel/application.php	(.../application.php)	(revision 16772)
+++ branches/5.2.x/core/kernel/application.php	(.../application.php)	(revision 16781)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: application.php 16772 2023-11-22 08:42:00Z alex $
+* @version	$Id: application.php 16781 2024-01-04 10:58:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -1416,6 +1416,29 @@
 	}
 
 	/**
+	 * Returns filtered variable passed to the script as GET/POST/COOKIE
+	 *
+	 * @param string        $name    Name of variable to retrieve.
+	 * @param mixed         $default Default value returned in case if variable not present.
+	 * @param integer       $filter  The ID of the filter to apply.
+	 * @param array|integer $options Associative array of options or bitwise disjunction of flags.
+	 *
+	 * @return mixed
+	 */
+	public function GetVarFiltered($name, $default = false, $filter = FILTER_DEFAULT, $options = 0)
+	{
+		if ( isset($this->HttpQuery->_Params[$name]) ) {
+			$filtered_value = filter_var($this->HttpQuery->_Params[$name], $filter, $options);
+
+			if ( $filtered_value !== false ) {
+				return $filtered_value;
+			}
+		}
+
+		return $default;
+	}
+
+	/**
 	 * Removes forceful escaping done to the variable upon Front-End submission.
 	 *
 	 * @param string|array $value Value.
Index: branches/5.2.x/core/kernel/db/cat_event_handler.php
===================================================================
diff -u -N -r16692 -r16781
--- branches/5.2.x/core/kernel/db/cat_event_handler.php	(.../cat_event_handler.php)	(revision 16692)
+++ branches/5.2.x/core/kernel/db/cat_event_handler.php	(.../cat_event_handler.php)	(revision 16781)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: cat_event_handler.php 16692 2021-08-31 09:24:09Z alex $
+* @version	$Id: cat_event_handler.php 16781 2024-01-04 10:58:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -1893,18 +1893,33 @@
 		// get PerPage (forced -> session -> config -> 10)
 		$object->SetPerPage($this->getPerPage($event));
 
-		// main lists on Front-End have special get parameter for page
-		$page = $object->isMainList() ? $this->Application->GetVar('page') : false;
+		// Main lists on Front-End have special get parameter for page.
+		if ( $object->isMainList() ) {
+			$page = $this->Application->GetVarFiltered('page', false, FILTER_VALIDATE_INT);
+		}
+		else {
+			$page = false;
+		}
 
 		if ( !$page ) {
-			// page is given in "env" variable for given prefix
-			$page = $this->Application->GetVar($event->getPrefixSpecial() . '_Page');
+			// Page is given in "env" variable for given prefix.
+			$page = $this->Application->GetVarFiltered(
+				$event->getPrefixSpecial() . '_Page',
+				false,
+				FILTER_VALIDATE_INT
+			);
 		}
 
 		if ( !$page && $event->Special ) {
-			// when not part of env, then variables like "prefix.special_Page" are
-			// replaced (by PHP) with "prefix_special_Page", so check for that too
-			$page = $this->Application->GetVar($event->getPrefixSpecial(true) . '_Page');
+			/*
+			 * When not part of env, then variables like "prefix.special_Page" are
+			 * replaced (by PHP) with "prefix_special_Page", so check for that too.
+			 */
+			$page = $this->Application->GetVarFiltered(
+				$event->getPrefixSpecial(true) . '_Page',
+				false,
+				FILTER_VALIDATE_INT
+			);
 		}
 
 		if ( !$object->isMainList() ) {
@@ -1913,8 +1928,8 @@
 
 			if ( !$page ) {
 				if ( $this->Application->RewriteURLs() ) {
-					// when page not found by prefix+special, then try to search it without special at all
-					$page = $this->Application->GetVar($event->Prefix . '_Page');
+					// When page not found by prefix+special, then try to search it without special at all.
+					$page = $this->Application->GetVarFiltered($event->Prefix . '_Page', false, FILTER_VALIDATE_INT);
 
 					if ( !$page ) {
 						// page not found in request -> get from session
Index: branches/5.2.x/core/kernel/db/db_event_handler.php
===================================================================
diff -u -N -r16779 -r16781
--- branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 16779)
+++ branches/5.2.x/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 16781)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: db_event_handler.php 16779 2023-11-22 09:14:46Z alex $
+* @version	$Id: db_event_handler.php 16781 2024-01-04 10:58:30Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -900,18 +900,33 @@
 			// get PerPage (forced -> session -> config -> 10)
 			$object->SetPerPage($this->getPerPage($event));
 
-			// main lists on Front-End have special get parameter for page
-			$page = $object->isMainList() ? $this->Application->GetVar('page') : false;
+			// Main lists on Front-End have special get parameter for page.
+			if ( $object->isMainList() ) {
+				$page = $this->Application->GetVarFiltered('page', false, FILTER_VALIDATE_INT);
+			}
+			else {
+				$page = false;
+			}
 
 			if ( !$page ) {
-				// page is given in "env" variable for given prefix
-				$page = $this->Application->GetVar($event->getPrefixSpecial() . '_Page');
+				// Page is given in "env" variable for given prefix.
+				$page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial() . '_Page',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$page && $event->Special ) {
-				// when not part of env, then variables like "prefix.special_Page" are
-				// replaced (by PHP) with "prefix_special_Page", so check for that too
-				$page = $this->Application->GetVar($event->getPrefixSpecial(true) . '_Page');
+				/*
+				 * When not part of env, then variables like "prefix.special_Page" are
+				 * replaced (by PHP) with "prefix_special_Page", so check for that too.
+				 */
+				$page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial(true) . '_Page',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$object->isMainList() ) {
@@ -978,19 +993,33 @@
 			}
 
 			if ( !$per_page && $object->isMainList() ) {
-				// main lists on Front-End have special get parameter for per-page
-				$per_page = $this->Application->GetVar('per_page');
+				// Main lists on Front-End have special get parameter for per-page.
+				$per_page = $this->Application->GetVarFiltered(
+					'per_page',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$per_page ) {
-				// per-page is given in "env" variable for given prefix
-				$per_page = $this->Application->GetVar($event->getPrefixSpecial() . '_PerPage');
+				// Per-page is given in "env" variable for given prefix.
+				$per_page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial() . '_PerPage',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$per_page && $event->Special ) {
-				// when not part of env, then variables like "prefix.special_PerPage" are
-				// replaced (by PHP) with "prefix_special_PerPage", so check for that too
-				$per_page = $this->Application->GetVar($event->getPrefixSpecial(true) . '_PerPage');
+				/*
+				 * When not part of env, then variables like "prefix.special_PerPage" are
+				 * replaced (by PHP) with "prefix_special_PerPage", so check for that too.
+				 */
+				$per_page = $this->Application->GetVarFiltered(
+					$event->getPrefixSpecial(true) . '_PerPage',
+					false,
+					FILTER_VALIDATE_INT
+				);
 			}
 
 			if ( !$object->isMainList() ) {
@@ -1041,7 +1070,12 @@
 			$object = $event->getObject();
 
 			if ( $object->isMainList() ) {
-				$sort_by = $this->Application->GetVar('sort_by');
+				$sort_by = $this->Application->GetVarFiltered(
+					'sort_by',
+					false,
+					FILTER_CALLBACK,
+					array('options' => array($this, 'sortByFilterCallback'))
+				);
 				$cur_sort1 = $cur_sort1_dir = $cur_sort2 = $cur_sort2_dir = false;
 
 				if ( $sort_by ) {
@@ -1118,6 +1152,29 @@
 		}
 
 		/**
+		 * Filters the "sort_by" request variable.
+		 *
+		 * @param string|boolean $value Value.
+		 *
+		 * @return string|boolean
+		 */
+		public function sortByFilterCallback($value)
+		{
+			if ( !$value ) {
+				return false;
+			}
+
+			$sortings = array_filter(
+				explode('|', $value),
+				function ($sorting) {
+					return preg_match('/^[a-z_][a-z0-9_]*,(asc|desc)$/i', $sorting);
+				}
+			);
+
+			return $sortings ? implode('|', $sortings) : false;
+		}
+
+		/**
 		 * Returns default list sortings
 		 *
 		 * @param kEvent $event