From 7b08766668ec5c47f452fcc23e2b787c471453b7 Mon Sep 17 00:00:00 2001 From: Anonymous Contributor Date: Wed, 23 Aug 2023 18:16:34 +0200 Subject: [PATCH] Always encode user input before including in HTML --- pages/dashboard.php | 2 +- pages/friends.php | 3 +-- pages/groups.php | 2 +- pages/identities.php | 4 ++-- pages/login.php | 2 +- pages/password.php | 8 ++++---- pages/profile.php | 8 ++++---- pages/regions.php | 2 +- pages/register.php | 2 +- pages/user-online-state.php | 2 +- pages/users.php | 4 ++-- plugins/default-html.php | 2 +- 12 files changed, 20 insertions(+), 21 deletions(-) diff --git a/pages/dashboard.php b/pages/dashboard.php index 85395f1..2b70789 100644 --- a/pages/dashboard.php +++ b/pages/dashboard.php @@ -5,7 +5,7 @@ $HTML->ReplaceSeitenInhalt("%%GLOBAL-USER-COUNT%%", $RUNTIME['OPENSIM']->getUserCount()); $HTML->ReplaceSeitenInhalt("%%GLOBAL-REGION-COUNT%%", $RUNTIME['OPENSIM']->getRegionCount()); - $HTML->ReplaceLayoutInhalt("%%USERNAME%%", $_SESSION['DISPLAYNAME']); + $HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars($_SESSION['DISPLAYNAME'])); $HTML->build(); echo $HTML->ausgabe(); diff --git a/pages/friends.php b/pages/friends.php index 2a7d5aa..d1b72bc 100644 --- a/pages/friends.php +++ b/pages/friends.php @@ -29,8 +29,7 @@ $FriendData[1] = str_replace("http://", "", $FriendData[1]); $FriendData[1] = str_replace("https://", "", $FriendData[1]); $FriendData[1] = str_replace("/", "", $FriendData[1]); - $entry = ''.trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1]).'LÖSCHEN'; - + $entry = ''.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'LÖSCHEN'; } $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); diff --git a/pages/groups.php b/pages/groups.php index a5653d0..7c3d908 100644 --- a/pages/groups.php +++ b/pages/groups.php @@ -20,7 +20,7 @@ while($rowGroups = $statementGroups->fetch()) { - $entry = ''.$rowGroups['Name'].''.$RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID']).'VERLASSEN'; + $entry = ''.htmlspecialchars($rowGroups['Name']).''.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID'])).'VERLASSEN'; $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); } } diff --git a/pages/identities.php b/pages/identities.php index 1045d46..6940e0c 100644 --- a/pages/identities.php +++ b/pages/identities.php @@ -106,9 +106,9 @@ { if($row['IdentityID'] == $_SESSION['UUID']) { - $entry = ''.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).' Aktiv-'; + $entry = ''.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).' Aktiv-'; }else{ - $entry = ''.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).'
'; + $entry = ''.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).'
'; } $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); diff --git a/pages/login.php b/pages/login.php index d8c996b..9cda6fe 100644 --- a/pages/login.php +++ b/pages/login.php @@ -52,7 +52,7 @@ } $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']); - $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", $_POST['username']); + $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username'])); } } diff --git a/pages/password.php b/pages/password.php index 0fdf060..02355b0 100644 --- a/pages/password.php +++ b/pages/password.php @@ -57,10 +57,10 @@ if($PartnerUUID != null)$PartnerName = $RUNTIME['OPENSIM']->getUserName($PartnerUUID); $HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' '); - $HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']); - $HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']); - $HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName); - $HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])); + $HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME'])); + $HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME'])); + $HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName)); + $HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID']))); $HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", ""); $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' '); $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' '); diff --git a/pages/profile.php b/pages/profile.php index d784d65..178d9bf 100644 --- a/pages/profile.php +++ b/pages/profile.php @@ -152,10 +152,10 @@ if($RUNTIME['OPENSIM']->allowOfflineIM($_SESSION['UUID']) == "TRUE")$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' checked'); $HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' '); - $HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']); - $HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']); - $HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName); - $HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])); + $HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME'])); + $HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME'])); + $HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName)); + $HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID']))); $HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", ""); $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' '); $HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", ' '); diff --git a/pages/regions.php b/pages/regions.php index 715fb81..924e724 100644 --- a/pages/regions.php +++ b/pages/regions.php @@ -62,7 +62,7 @@ { $stats = getRegionStatsData($row['uuid']); - $entry = ''.$row['regionName'].''.$RUNTIME['OPENSIM']->getUserName($row['owner_uuid']).''.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'LÖSCHEN'; + $entry = ''.htmlspecialchars($row['regionName']).''.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($row['owner_uuid'])).''.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'LÖSCHEN'; $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); } diff --git a/pages/register.php b/pages/register.php index 6192cbf..23a7854 100644 --- a/pages/register.php +++ b/pages/register.php @@ -7,7 +7,7 @@ $HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message); $HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] ); - $HTML->ReplaceLayoutInhalt("%%INVCODE%%", $_REQUEST['code']); + $HTML->ReplaceLayoutInhalt("%%INVCODE%%", htmlspecialchars($_REQUEST['code'])); $HTML->build(); echo $HTML->ausgabe(); diff --git a/pages/user-online-state.php b/pages/user-online-state.php index 0f17e19..a4bef00 100644 --- a/pages/user-online-state.php +++ b/pages/user-online-state.php @@ -11,7 +11,7 @@ { if($row['RegionID'] != "00000000-0000-0000-0000-000000000000") { - $entry = ''.trim($RUNTIME['OPENSIM']->getUserName($row['UserID'])).''.$RUNTIME['OPENSIM']->getRegionName($row['RegionID']).''; + $entry = ''.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['UserID']))).''.htmlspecialchars($RUNTIME['OPENSIM']->getRegionName($row['RegionID'])).''; $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); } } diff --git a/pages/users.php b/pages/users.php index eb31a86..156688f 100644 --- a/pages/users.php +++ b/pages/users.php @@ -26,7 +26,7 @@ $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]); - $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ''); + $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ''); } $statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))"); @@ -50,7 +50,7 @@ while($row = $statement->fetch()) { - $entry = ''.$row['FirstName'].''.$row['LastName'].''.$row['UserLevel'].'PASSWORT ÄNDERN'; + $entry = ''.htmlspecialchars($row['FirstName']).''.htmlspecialchars($row['LastName']).''.htmlspecialchars($row['UserLevel']).'PASSWORT ÄNDERN'; $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); } diff --git a/plugins/default-html.php b/plugins/default-html.php index 6a76721..19b8314 100644 --- a/plugins/default-html.php +++ b/plugins/default-html.php @@ -7,6 +7,6 @@ if(@$_SESSION['LEVEL'] > 100) $HTML->importHTML("style/default/dashboard-admin.html"); - $HTML->ReplaceLayoutInhalt("%%USERNAME%%", @$_SESSION['DISPLAYNAME']); + $HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars(@$_SESSION['DISPLAYNAME'])); } ?> \ No newline at end of file