Always encode user input before including in HTML
parent
70962b0c63
commit
7b08766668
|
@ -5,7 +5,7 @@
|
||||||
$HTML->ReplaceSeitenInhalt("%%GLOBAL-USER-COUNT%%", $RUNTIME['OPENSIM']->getUserCount());
|
$HTML->ReplaceSeitenInhalt("%%GLOBAL-USER-COUNT%%", $RUNTIME['OPENSIM']->getUserCount());
|
||||||
$HTML->ReplaceSeitenInhalt("%%GLOBAL-REGION-COUNT%%", $RUNTIME['OPENSIM']->getRegionCount());
|
$HTML->ReplaceSeitenInhalt("%%GLOBAL-REGION-COUNT%%", $RUNTIME['OPENSIM']->getRegionCount());
|
||||||
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%USERNAME%%", $_SESSION['DISPLAYNAME']);
|
$HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars($_SESSION['DISPLAYNAME']));
|
||||||
|
|
||||||
$HTML->build();
|
$HTML->build();
|
||||||
echo $HTML->ausgabe();
|
echo $HTML->ausgabe();
|
||||||
|
|
|
@ -29,8 +29,7 @@
|
||||||
$FriendData[1] = str_replace("http://", "", $FriendData[1]);
|
$FriendData[1] = str_replace("http://", "", $FriendData[1]);
|
||||||
$FriendData[1] = str_replace("https://", "", $FriendData[1]);
|
$FriendData[1] = str_replace("https://", "", $FriendData[1]);
|
||||||
$FriendData[1] = str_replace("/", "", $FriendData[1]);
|
$FriendData[1] = str_replace("/", "", $FriendData[1]);
|
||||||
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1]).'</td><td><a href="index.php?page=friends&action=remove&uuid='.$row['Friend'].'">LÖSCHEN</a></td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'</td><td><a href="index.php?page=friends&action=remove&uuid='.urlencode($row['Friend']).'">LÖSCHEN</a></td></tr>';
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
|
|
||||||
while($rowGroups = $statementGroups->fetch())
|
while($rowGroups = $statementGroups->fetch())
|
||||||
{
|
{
|
||||||
$entry = '<tr><td>'.$rowGroups['Name'].'</td><td>'.$RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID']).'</td><td><a href="index.php?page=groups&action=leave&group='.$rowGroups['GroupID'].'">VERLASSEN</a></td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars($rowGroups['Name']).'</td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID'])).'</td><td><a href="index.php?page=groups&action=leave&group='.htmlspecialchars($rowGroups['GroupID']).'">VERLASSEN</a></td></tr>';
|
||||||
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -106,9 +106,9 @@
|
||||||
{
|
{
|
||||||
if($row['IdentityID'] == $_SESSION['UUID'])
|
if($row['IdentityID'] == $_SESSION['UUID'])
|
||||||
{
|
{
|
||||||
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).' <span class="badge badge-info">Aktiv</span></td><td>-</td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).' <span class="badge badge-info">Aktiv</span></td><td>-</td></tr>';
|
||||||
}else{
|
}else{
|
||||||
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).'</td><td><form action="index.php?page=identities" method="post"><input type="hidden" name="newuuid" value="'.$row['IdentityID'].'"><button type="submit" name="enableIdent" class="btn btn-success btn-sm">Aktievieren</button></form></td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).'</td><td><form action="index.php?page=identities" method="post"><input type="hidden" name="newuuid" value="'.htmlspecialchars($row['IdentityID']).'"><button type="submit" name="enableIdent" class="btn btn-success btn-sm">Aktievieren</button></form></td></tr>';
|
||||||
}
|
}
|
||||||
|
|
||||||
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
||||||
|
|
|
@ -52,7 +52,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']);
|
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']);
|
||||||
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", $_POST['username']);
|
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username']));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -57,10 +57,10 @@
|
||||||
if($PartnerUUID != null)$PartnerName = $RUNTIME['OPENSIM']->getUserName($PartnerUUID);
|
if($PartnerUUID != null)$PartnerName = $RUNTIME['OPENSIM']->getUserName($PartnerUUID);
|
||||||
|
|
||||||
$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' ');
|
$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' ');
|
||||||
$HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']);
|
$HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME']));
|
||||||
$HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']);
|
$HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME']));
|
||||||
$HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName);
|
$HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName));
|
||||||
$HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID']));
|
$HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])));
|
||||||
$HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");
|
$HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");
|
||||||
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
|
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
|
||||||
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
|
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
|
||||||
|
|
|
@ -152,10 +152,10 @@
|
||||||
if($RUNTIME['OPENSIM']->allowOfflineIM($_SESSION['UUID']) == "TRUE")$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' checked');
|
if($RUNTIME['OPENSIM']->allowOfflineIM($_SESSION['UUID']) == "TRUE")$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' checked');
|
||||||
|
|
||||||
$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' ');
|
$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' ');
|
||||||
$HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']);
|
$HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME']));
|
||||||
$HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']);
|
$HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME']));
|
||||||
$HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName);
|
$HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName));
|
||||||
$HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID']));
|
$HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])));
|
||||||
$HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");
|
$HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");
|
||||||
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
|
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
|
||||||
$HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", ' ');
|
$HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", ' ');
|
||||||
|
|
|
@ -62,7 +62,7 @@
|
||||||
{
|
{
|
||||||
$stats = getRegionStatsData($row['uuid']);
|
$stats = getRegionStatsData($row['uuid']);
|
||||||
|
|
||||||
$entry = '<tr><td>'.$row['regionName'].'<div class="blockquote-footer">Prims: '.$stats['Prims'].'; RAM-Nutzung: '.$stats['ProcMem'].'; SIM/PHYS FPS: '.$stats['SimFPS'].'/'.$stats['PhyFPS'].' ('.$stats['RegionVersion'].')</div></td><td>'.$RUNTIME['OPENSIM']->getUserName($row['owner_uuid']).'</td><td>'.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'</td><td><a href="index.php?page=regions&action=remove®ion='.$row['uuid'].'">LÖSCHEN</a></td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars($row['regionName']).'<div class="blockquote-footer">Prims: '.$stats['Prims'].'; RAM-Nutzung: '.$stats['ProcMem'].'; SIM/PHYS FPS: '.$stats['SimFPS'].'/'.$stats['PhyFPS'].' ('.$stats['RegionVersion'].')</div></td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($row['owner_uuid'])).'</td><td>'.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'</td><td><a href="index.php?page=regions&action=remove®ion='.$row['uuid'].'">LÖSCHEN</a></td></tr>';
|
||||||
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message);
|
$HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message);
|
||||||
$HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] );
|
$HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] );
|
||||||
$HTML->ReplaceLayoutInhalt("%%INVCODE%%", $_REQUEST['code']);
|
$HTML->ReplaceLayoutInhalt("%%INVCODE%%", htmlspecialchars($_REQUEST['code']));
|
||||||
|
|
||||||
$HTML->build();
|
$HTML->build();
|
||||||
echo $HTML->ausgabe();
|
echo $HTML->ausgabe();
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
{
|
{
|
||||||
if($row['RegionID'] != "00000000-0000-0000-0000-000000000000")
|
if($row['RegionID'] != "00000000-0000-0000-0000-000000000000")
|
||||||
{
|
{
|
||||||
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['UserID'])).'</td><td>'.$RUNTIME['OPENSIM']->getRegionName($row['RegionID']).'</td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['UserID']))).'</td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getRegionName($row['RegionID'])).'</td></tr>';
|
||||||
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,7 +26,7 @@
|
||||||
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID');
|
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID');
|
||||||
$statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
|
$statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
|
||||||
|
|
||||||
$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.$RUNTIME['OPENSIM']->getUserName($_REQUEST['userid']).' wurde geändert. Das neue Passwort ist <b>'.$NEWPW.'</b></div>');
|
$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>');
|
||||||
}
|
}
|
||||||
|
|
||||||
$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))");
|
$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))");
|
||||||
|
@ -50,7 +50,7 @@
|
||||||
|
|
||||||
while($row = $statement->fetch())
|
while($row = $statement->fetch())
|
||||||
{
|
{
|
||||||
$entry = '<tr><td>'.$row['FirstName'].'</td><td>'.$row['LastName'].'</td><td>'.$row['UserLevel'].'</td><td><a href="index.php?page=users&action=genpw&userid='.$row['PrincipalID'].'">PASSWORT ÄNDERN</a></td></tr>';
|
$entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><a href="index.php?page=users&action=genpw&userid='.htmlspecialchars($row['PrincipalID']).'">PASSWORT ÄNDERN</a></td></tr>';
|
||||||
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,6 @@
|
||||||
if(@$_SESSION['LEVEL'] > 100)
|
if(@$_SESSION['LEVEL'] > 100)
|
||||||
$HTML->importHTML("style/default/dashboard-admin.html");
|
$HTML->importHTML("style/default/dashboard-admin.html");
|
||||||
|
|
||||||
$HTML->ReplaceLayoutInhalt("%%USERNAME%%", @$_SESSION['DISPLAYNAME']);
|
$HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars(@$_SESSION['DISPLAYNAME']));
|
||||||
}
|
}
|
||||||
?>
|
?>
|
Loading…
Reference in New Issue