$_GET not cleaned when parsed from REQUEST_URI

When none of the default methods of determining the request URI have succeeded, the framework will fallback to parsing the raw request URI as passed by the webserver. If this URI has a query string, it will be parsed and $GET will be updated. In this process, the $GET variables are not cleaned,...