From bb09f72ee636b212024447890c9f6f4e5733986c Mon Sep 17 00:00:00 2001
From: Wruczek <wruczekk@gmail.com>
Date: Mon, 25 Sep 2017 00:39:02 +0200
Subject: [PATCH] Using htmlspecialchars instead of htmlentities to prevent XSS

---
 bans.php              | 6 +++---
 include/adminlist.php | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/bans.php b/bans.php
index 6c33a4c..1f4ffdc 100644
--- a/bans.php
+++ b/bans.php
@@ -68,14 +68,14 @@ function getBanlist() {
                 $user = censorIP((string)$ban['ip']);
 
             if (!empty($ban['lastnickname']))
-                $user = htmlentities((string)$ban['lastnickname']);
+                $user = htmlspecialchars((string)$ban['lastnickname']);
 
             if (empty($user))
                 $user = "<i>Unknown</i>";
 
 
-            $reason = htmlentities((string)$ban['reason']);
-            $invokername = htmlentities((string)$ban['invokername']);
+            $reason = htmlspecialchars((string)$ban['reason']);
+            $invokername = htmlspecialchars((string)$ban['invokername']);
             $duration = $ban['duration'];
             $createdepoch = $ban['created'];
             $expiresepoch = $ban['created'] + $duration;
diff --git a/include/adminlist.php b/include/adminlist.php
index ebf2faf..3c7d882 100644
--- a/include/adminlist.php
+++ b/include/adminlist.php
@@ -63,11 +63,11 @@ function getAdminList() {
                 if($user["client_type"]) continue;
 
                 if (!$user) {
-                    $offlineClients[] = '<p><span class="label label-primary iconspacer">' . htmlentities($userInfo['client_nickname']) . '</span><span class="label label-danger pull-right">' . translate($lang["adminlist"]["status"]["offline"]) . '</span></p>';
+                    $offlineClients[] = '<p><span class="label label-primary iconspacer">' . htmlspecialchars($userInfo['client_nickname']) . '</span><span class="label label-danger pull-right">' . translate($lang["adminlist"]["status"]["offline"]) . '</span></p>';
                     continue;
                 }
 
-                $onlineClients[] = '<p><img src="lib/ts3phpframework/images/viewer/' . $user->getIcon() . '.png" alt="User status">' . '<span class="label label-primary">' . htmlentities($user) . '</span>' . ($user['client_away'] ? '<span class="label label-warning pull-right">' . translate($lang["adminlist"]["status"]["away"]) . '</span>' : '<span class="label label-success pull-right">' . translate($lang["adminlist"]["status"]["online"]) . '</span>') . '</p>';
+                $onlineClients[] = '<p><img src="lib/ts3phpframework/images/viewer/' . $user->getIcon() . '.png" alt="User status">' . '<span class="label label-primary">' . htmlspecialchars($user) . '</span>' . ($user['client_away'] ? '<span class="label label-warning pull-right">' . translate($lang["adminlist"]["status"]["away"]) . '</span>' : '<span class="label label-success pull-right">' . translate($lang["adminlist"]["status"]["online"]) . '</span>') . '</p>';
             }
 
             foreach (array_merge($onlineClients, $offlineClients) as $str)