diff --git a/src/private/php/Utils/Language/LanguageUtils.php b/src/private/php/Utils/Language/LanguageUtils.php
index b1220b9..64ab0d3 100644
--- a/src/private/php/Utils/Language/LanguageUtils.php
+++ b/src/private/php/Utils/Language/LanguageUtils.php
@@ -2,7 +2,6 @@
namespace Wruczek\TSWebsite\Utils\Language;
-use function htmlspecialchars;
use Wruczek\PhpFileCache\PhpFileCache;
use Wruczek\TSWebsite\Utils\DatabaseUtils;
use Wruczek\TSWebsite\Utils\SingletonTait;
diff --git a/src/private/php/Utils/TemplateUtils.php b/src/private/php/Utils/TemplateUtils.php
index e0a1f69..9218df8 100644
--- a/src/private/php/Utils/TemplateUtils.php
+++ b/src/private/php/Utils/TemplateUtils.php
@@ -165,13 +165,13 @@ class TemplateUtils {
}
} else if (is_string($parameter)) {
// NEEDS to start with a space!
- $attributes = ' integrity="' . htmlspecialchars($parameter) . '" crossorigin="anonymous"';
+ $attributes = ' integrity="' . Utils::escape($parameter) . '" crossorigin="anonymous"';
}
if ($resourceType === "stylesheet") {
- echo '';
+ echo '';
} else if ($resourceType === "script") {
- echo '';
+ echo '';
} else {
throw new \InvalidArgumentException("$resourceType is not a valid resource type");
}
diff --git a/src/private/php/Utils/Utils.php b/src/private/php/Utils/Utils.php
index a2d3b59..f59ae72 100644
--- a/src/private/php/Utils/Utils.php
+++ b/src/private/php/Utils/Utils.php
@@ -9,12 +9,21 @@ use Wruczek\TSWebsite\News\INewsStore;
/**
* Class Utils
* @package Wruczek\TSWebsite\Utils
- * @author Wruczek 2017
+ * @author Wruczek 2017 - 2019
*/
class Utils {
private function __construct() {}
+ /**
+ * Escapes HTML characters with htmlspecialchars
+ * @param $string string String to be escaped
+ * @return string escaped string
+ */
+ public static function escape($string) {
+ return htmlspecialchars((string) $string, ENT_QUOTES, "UTF-8");
+ }
+
/**
* Strips the first line from string
* https://stackoverflow.com/a/7740485
@@ -100,7 +109,7 @@ class Utils {
*/
public static function getClientIp($useCfip = null) {
if ($useCfip === null) {
- $useCfip = (bool) Config::get("usingcloudflare");
+ $useCfip = Config::get("usingcloudflare");
}
// If IPv6 localhost, return IPv4 localhost
@@ -108,7 +117,7 @@ class Utils {
return "127.0.0.1";
}
- if (!empty($_SERVER["HTTP_CF_CONNECTING_IP"]) && $useCfip) {
+ if ($useCfip && !empty($_SERVER["HTTP_CF_CONNECTING_IP"])) {
return $_SERVER["HTTP_CF_CONNECTING_IP"];
}
diff --git a/src/private/php/ViewerRenderer.php b/src/private/php/ViewerRenderer.php
index f7026dc..709046b 100644
--- a/src/private/php/ViewerRenderer.php
+++ b/src/private/php/ViewerRenderer.php
@@ -4,6 +4,7 @@ namespace Wruczek\TSWebsite;
use function __get;
use TeamSpeak3;
+use Wruczek\TSWebsite\Utils\Utils;
class ViewerRenderer {
@@ -77,7 +78,7 @@ EOD;
$this->add(
$html,
$this->getIcon("server_green.svg"),
- htmlspecialchars($this->serverInfo["virtualserver_name"]),
+ Utils::escape($this->serverInfo["virtualserver_name"]),
$suffixIcons
);
@@ -99,8 +100,8 @@ EOD;
$path = "api/geticon.php?iconid=" . (int) $name;
}
- $ttip = $tooltip ? ' data-toggle="tooltip" title="' . htmlspecialchars($tooltip) . '"' : "";
- return '';
+ $ttip = $tooltip ? ' data-toggle="tooltip" title="' . Utils::escape($tooltip) . '"' : "";
+ return '';
}
/**
@@ -162,7 +163,7 @@ EOD;
$channel->getId(),
$channel->isSpacer() ? "" : ' tabindex="0"',
$channelIcon,
- htmlspecialchars($channelDisplayName),
+ Utils::escape($channelDisplayName),
$suffixIcons
);
@@ -222,7 +223,7 @@ EOD;
$clientName = implode(" ", $beforeName); // prefix groups
$clientName .= " {$client["client_nickname"]} "; // nickname
$clientName .= implode(" ", $afterName); // suffix groups
- $clientName = htmlspecialchars(trim($clientName)); // trim and sanitize
+ $clientName = Utils::escape(trim($clientName)); // trim and sanitize
$this->add(
$html,
@@ -286,7 +287,7 @@ EOD;
}
if($client["client_away"]) {
- return $this->getIcon("away.svg", htmlspecialchars($client["client_away_message"]) ?: __get("VIEWER_CLIENT_AWAY"));
+ return $this->getIcon("away.svg", Utils::escape($client["client_away_message"]) ?: __get("VIEWER_CLIENT_AWAY"));
}
if(!$client["client_output_hardware"]) {
@@ -340,7 +341,7 @@ EOD;
// to show the group with a "broken-image" icons.
}
- $html .= $this->getIcon($icon, htmlspecialchars($group["name"]));
+ $html .= $this->getIcon($icon, Utils::escape($group["name"]));
}
if($client["client_icon_id"]) {
diff --git a/src/private/php/load.php b/src/private/php/load.php
index 95027a4..63c1c10 100644
--- a/src/private/php/load.php
+++ b/src/private/php/load.php
@@ -4,6 +4,7 @@ use Wruczek\TSWebsite\Config;
use Wruczek\TSWebsite\ServerIconCache;
use Wruczek\TSWebsite\Utils\CsrfUtils;
use Wruczek\TSWebsite\Utils\Language\LanguageUtils;
+use Wruczek\TSWebsite\Utils\Utils;
session_name("tswebsite_sessionid");
@@ -71,7 +72,7 @@ if(!isset($_SESSION["userlanguageid"])) {
try {
return LanguageUtils::i()->translate($identifier, $args);
} catch (\Exception $e) {
- return "(unknown translation for " . htmlspecialchars($identifier) . ")";
+ return "(unknown translation for " . Utils::escape($identifier) . ")";
}
}
}