M_Viper/ts-website
M_Viper
/
ts-website
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Using htmlspecialchars instead of htmlentities to prevent XSS

This commit is contained in:
Wruczek 2017-09-25 00:39:02 +02:00
parent a282f78cff
commit bb09f72ee6
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
bans.php
View File

@ -68,14 +68,14 @@ function getBanlist() {
$user = censorIP((string)$ban['ip']); $user = censorIP((string)$ban['ip']);
if (!empty($ban['lastnickname'])) if (!empty($ban['lastnickname']))
$user = htmlentities((string)$ban['lastnickname']); $user = htmlspecialchars((string)$ban['lastnickname']);
if (empty($user)) if (empty($user))
$user = "<i>Unknown</i>"; $user = "<i>Unknown</i>";
$reason = htmlentities((string)$ban['reason']); $reason = htmlspecialchars((string)$ban['reason']);
$invokername = htmlentities((string)$ban['invokername']); $invokername = htmlspecialchars((string)$ban['invokername']);
$duration = $ban['duration']; $duration = $ban['duration'];
$createdepoch = $ban['created']; $createdepoch = $ban['created'];
$expiresepoch = $ban['created'] + $duration; $expiresepoch = $ban['created'] + $duration;

4
include/adminlist.php
View File

@ -63,11 +63,11 @@ function getAdminList() {
if($user["client_type"]) continue; if($user["client_type"]) continue;
if (!$user) { if (!$user) {
$offlineClients[] = '<p><span class="label label-primary iconspacer">' . htmlentities($userInfo['client_nickname']) . '</span><span class="label label-danger pull-right">' . translate($lang["adminlist"]["status"]["offline"]) . '</span></p>'; $offlineClients[] = '<p><span class="label label-primary iconspacer">' . htmlspecialchars($userInfo['client_nickname']) . '</span><span class="label label-danger pull-right">' . translate($lang["adminlist"]["status"]["offline"]) . '</span></p>';
continue; continue;
} }
$onlineClients[] = '<p><img src="lib/ts3phpframework/images/viewer/' . $user->getIcon() . '.png" alt="User status">' . '<span class="label label-primary">' . htmlentities($user) . '</span>' . ($user['client_away'] ? '<span class="label label-warning pull-right">' . translate($lang["adminlist"]["status"]["away"]) . '</span>' : '<span class="label label-success pull-right">' . translate($lang["adminlist"]["status"]["online"]) . '</span>') . '</p>'; $onlineClients[] = '<p><img src="lib/ts3phpframework/images/viewer/' . $user->getIcon() . '.png" alt="User status">' . '<span class="label label-primary">' . htmlspecialchars($user) . '</span>' . ($user['client_away'] ? '<span class="label label-warning pull-right">' . translate($lang["adminlist"]["status"]["away"]) . '</span>' : '<span class="label label-success pull-right">' . translate($lang["adminlist"]["status"]["online"]) . '</span>') . '</p>';
} }
foreach (array_merge($onlineClients, $offlineClients) as $str) foreach (array_merge($onlineClients, $offlineClients) as $str)