Am I leaving my site vulnerable to attack by not filtering data inside a header redirect?
For example:
$foo = $_GET['foo'];
header("Location: /bar.php?foo=$foo");
die();
if the answer is yes, what types of attacks are they, and is simply escaping the data with htmlentities a viable solution?
$foo = $_GET['foo'];
$foo = htmlentities($foo);
header("Location: /bar.php?foo=$foo");
die();
URL parameters are not executed, so you're not opening yourself up to attack. However, failing to encode the data may cause the parameter to be interpreted incorrectly. You should use urlencode():
$foo = urlencode($foo);
header("Location: /bar.php?foo=$foo");