diff --git a/src/private/php/Utils/Language/LanguageUtils.php b/src/private/php/Utils/Language/LanguageUtils.php index b1220b9..64ab0d3 100644 --- a/src/private/php/Utils/Language/LanguageUtils.php +++ b/src/private/php/Utils/Language/LanguageUtils.php @@ -2,7 +2,6 @@ namespace Wruczek\TSWebsite\Utils\Language; -use function htmlspecialchars; use Wruczek\PhpFileCache\PhpFileCache; use Wruczek\TSWebsite\Utils\DatabaseUtils; use Wruczek\TSWebsite\Utils\SingletonTait; diff --git a/src/private/php/Utils/TemplateUtils.php b/src/private/php/Utils/TemplateUtils.php index e0a1f69..9218df8 100644 --- a/src/private/php/Utils/TemplateUtils.php +++ b/src/private/php/Utils/TemplateUtils.php @@ -165,13 +165,13 @@ class TemplateUtils { } } else if (is_string($parameter)) { // NEEDS to start with a space! - $attributes = ' integrity="' . htmlspecialchars($parameter) . '" crossorigin="anonymous"'; + $attributes = ' integrity="' . Utils::escape($parameter) . '" crossorigin="anonymous"'; } if ($resourceType === "stylesheet") { - echo ''; + echo ''; } else if ($resourceType === "script") { - echo ''; + echo ''; } else { throw new \InvalidArgumentException("$resourceType is not a valid resource type"); } diff --git a/src/private/php/Utils/Utils.php b/src/private/php/Utils/Utils.php index a2d3b59..f59ae72 100644 --- a/src/private/php/Utils/Utils.php +++ b/src/private/php/Utils/Utils.php @@ -9,12 +9,21 @@ use Wruczek\TSWebsite\News\INewsStore; /** * Class Utils * @package Wruczek\TSWebsite\Utils - * @author Wruczek 2017 + * @author Wruczek 2017 - 2019 */ class Utils { private function __construct() {} + /** + * Escapes HTML characters with htmlspecialchars + * @param $string string String to be escaped + * @return string escaped string + */ + public static function escape($string) { + return htmlspecialchars((string) $string, ENT_QUOTES, "UTF-8"); + } + /** * Strips the first line from string * https://stackoverflow.com/a/7740485 @@ -100,7 +109,7 @@ class Utils { */ public static function getClientIp($useCfip = null) { if ($useCfip === null) { - $useCfip = (bool) Config::get("usingcloudflare"); + $useCfip = Config::get("usingcloudflare"); } // If IPv6 localhost, return IPv4 localhost @@ -108,7 +117,7 @@ class Utils { return "127.0.0.1"; } - if (!empty($_SERVER["HTTP_CF_CONNECTING_IP"]) && $useCfip) { + if ($useCfip && !empty($_SERVER["HTTP_CF_CONNECTING_IP"])) { return $_SERVER["HTTP_CF_CONNECTING_IP"]; } diff --git a/src/private/php/ViewerRenderer.php b/src/private/php/ViewerRenderer.php index f7026dc..709046b 100644 --- a/src/private/php/ViewerRenderer.php +++ b/src/private/php/ViewerRenderer.php @@ -4,6 +4,7 @@ namespace Wruczek\TSWebsite; use function __get; use TeamSpeak3; +use Wruczek\TSWebsite\Utils\Utils; class ViewerRenderer { @@ -77,7 +78,7 @@ EOD; $this->add( $html, $this->getIcon("server_green.svg"), - htmlspecialchars($this->serverInfo["virtualserver_name"]), + Utils::escape($this->serverInfo["virtualserver_name"]), $suffixIcons ); @@ -99,8 +100,8 @@ EOD; $path = "api/geticon.php?iconid=" . (int) $name; } - $ttip = $tooltip ? ' data-toggle="tooltip" title="' . htmlspecialchars($tooltip) . '"' : ""; - return '' . htmlspecialchars($alt) . ''; + $ttip = $tooltip ? ' data-toggle="tooltip" title="' . Utils::escape($tooltip) . '"' : ""; + return '' . Utils::escape($alt) . ''; } /** @@ -162,7 +163,7 @@ EOD; $channel->getId(), $channel->isSpacer() ? "" : ' tabindex="0"', $channelIcon, - htmlspecialchars($channelDisplayName), + Utils::escape($channelDisplayName), $suffixIcons ); @@ -222,7 +223,7 @@ EOD; $clientName = implode(" ", $beforeName); // prefix groups $clientName .= " {$client["client_nickname"]} "; // nickname $clientName .= implode(" ", $afterName); // suffix groups - $clientName = htmlspecialchars(trim($clientName)); // trim and sanitize + $clientName = Utils::escape(trim($clientName)); // trim and sanitize $this->add( $html, @@ -286,7 +287,7 @@ EOD; } if($client["client_away"]) { - return $this->getIcon("away.svg", htmlspecialchars($client["client_away_message"]) ?: __get("VIEWER_CLIENT_AWAY")); + return $this->getIcon("away.svg", Utils::escape($client["client_away_message"]) ?: __get("VIEWER_CLIENT_AWAY")); } if(!$client["client_output_hardware"]) { @@ -340,7 +341,7 @@ EOD; // to show the group with a "broken-image" icons. } - $html .= $this->getIcon($icon, htmlspecialchars($group["name"])); + $html .= $this->getIcon($icon, Utils::escape($group["name"])); } if($client["client_icon_id"]) { diff --git a/src/private/php/load.php b/src/private/php/load.php index 95027a4..63c1c10 100644 --- a/src/private/php/load.php +++ b/src/private/php/load.php @@ -4,6 +4,7 @@ use Wruczek\TSWebsite\Config; use Wruczek\TSWebsite\ServerIconCache; use Wruczek\TSWebsite\Utils\CsrfUtils; use Wruczek\TSWebsite\Utils\Language\LanguageUtils; +use Wruczek\TSWebsite\Utils\Utils; session_name("tswebsite_sessionid"); @@ -71,7 +72,7 @@ if(!isset($_SESSION["userlanguageid"])) { try { return LanguageUtils::i()->translate($identifier, $args); } catch (\Exception $e) { - return "(unknown translation for " . htmlspecialchars($identifier) . ")"; + return "(unknown translation for " . Utils::escape($identifier) . ")"; } } }