1
0
Fork 0

Always encode user input before including in HTML

master
Anonymous Contributor 2023-08-23 18:16:34 +02:00
parent 70962b0c63
commit 7b08766668
12 changed files with 20 additions and 21 deletions

View File

@ -5,7 +5,7 @@
$HTML->ReplaceSeitenInhalt("%%GLOBAL-USER-COUNT%%", $RUNTIME['OPENSIM']->getUserCount()); $HTML->ReplaceSeitenInhalt("%%GLOBAL-USER-COUNT%%", $RUNTIME['OPENSIM']->getUserCount());
$HTML->ReplaceSeitenInhalt("%%GLOBAL-REGION-COUNT%%", $RUNTIME['OPENSIM']->getRegionCount()); $HTML->ReplaceSeitenInhalt("%%GLOBAL-REGION-COUNT%%", $RUNTIME['OPENSIM']->getRegionCount());
$HTML->ReplaceLayoutInhalt("%%USERNAME%%", $_SESSION['DISPLAYNAME']); $HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars($_SESSION['DISPLAYNAME']));
$HTML->build(); $HTML->build();
echo $HTML->ausgabe(); echo $HTML->ausgabe();

View File

@ -29,8 +29,7 @@
$FriendData[1] = str_replace("http://", "", $FriendData[1]); $FriendData[1] = str_replace("http://", "", $FriendData[1]);
$FriendData[1] = str_replace("https://", "", $FriendData[1]); $FriendData[1] = str_replace("https://", "", $FriendData[1]);
$FriendData[1] = str_replace("/", "", $FriendData[1]); $FriendData[1] = str_replace("/", "", $FriendData[1]);
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1]).'</td><td><a href="index.php?page=friends&action=remove&uuid='.$row['Friend'].'">LÖSCHEN</a></td></tr>'; $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($Friend)).' @ '.strtolower($FriendData[1])).'</td><td><a href="index.php?page=friends&action=remove&uuid='.urlencode($row['Friend']).'">LÖSCHEN</a></td></tr>';
} }
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);

View File

@ -20,7 +20,7 @@
while($rowGroups = $statementGroups->fetch()) while($rowGroups = $statementGroups->fetch())
{ {
$entry = '<tr><td>'.$rowGroups['Name'].'</td><td>'.$RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID']).'</td><td><a href="index.php?page=groups&action=leave&group='.$rowGroups['GroupID'].'">VERLASSEN</a></td></tr>'; $entry = '<tr><td>'.htmlspecialchars($rowGroups['Name']).'</td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($rowGroups['FounderID'])).'</td><td><a href="index.php?page=groups&action=leave&group='.htmlspecialchars($rowGroups['GroupID']).'">VERLASSEN</a></td></tr>';
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
} }
} }

View File

@ -106,9 +106,9 @@
{ {
if($row['IdentityID'] == $_SESSION['UUID']) if($row['IdentityID'] == $_SESSION['UUID'])
{ {
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).' <span class="badge badge-info">Aktiv</span></td><td>-</td></tr>'; $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).' <span class="badge badge-info">Aktiv</span></td><td>-</td></tr>';
}else{ }else{
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID'])).'</td><td><form action="index.php?page=identities" method="post"><input type="hidden" name="newuuid" value="'.$row['IdentityID'].'"><button type="submit" name="enableIdent" class="btn btn-success btn-sm">Aktievieren</button></form></td></tr>'; $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['IdentityID']))).'</td><td><form action="index.php?page=identities" method="post"><input type="hidden" name="newuuid" value="'.htmlspecialchars($row['IdentityID']).'"><button type="submit" name="enableIdent" class="btn btn-success btn-sm">Aktievieren</button></form></td></tr>';
} }
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);

View File

@ -52,7 +52,7 @@
} }
$HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']); $HTML->ReplaceLayoutInhalt("%%LOGINMESSAGE%%", $RUNTIME['MESSAGE']['LOGINERROR']);
$HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", $_POST['username']); $HTML->ReplaceLayoutInhalt("%%LASTUSERNAME%%", htmlspecialchars($_POST['username']));
} }
} }

View File

@ -57,10 +57,10 @@
if($PartnerUUID != null)$PartnerName = $RUNTIME['OPENSIM']->getUserName($PartnerUUID); if($PartnerUUID != null)$PartnerName = $RUNTIME['OPENSIM']->getUserName($PartnerUUID);
$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' '); $HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' ');
$HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']); $HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME']));
$HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']); $HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME']));
$HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName); $HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName));
$HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])); $HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])));
$HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", ""); $HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' '); $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' '); $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');

View File

@ -152,10 +152,10 @@
if($RUNTIME['OPENSIM']->allowOfflineIM($_SESSION['UUID']) == "TRUE")$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' checked'); if($RUNTIME['OPENSIM']->allowOfflineIM($_SESSION['UUID']) == "TRUE")$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' checked');
$HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' '); $HTML->ReplaceSeitenInhalt("%%offlineIMSTATE%%", ' ');
$HTML->ReplaceSeitenInhalt("%%firstname%%", $_SESSION['FIRSTNAME']); $HTML->ReplaceSeitenInhalt("%%firstname%%", htmlspecialchars($_SESSION['FIRSTNAME']));
$HTML->ReplaceSeitenInhalt("%%lastname%%", $_SESSION['LASTNAME']); $HTML->ReplaceSeitenInhalt("%%lastname%%", htmlspecialchars($_SESSION['LASTNAME']));
$HTML->ReplaceSeitenInhalt("%%partner%%", $PartnerName); $HTML->ReplaceSeitenInhalt("%%partner%%", htmlspecialchars($PartnerName));
$HTML->ReplaceSeitenInhalt("%%email%%", $RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])); $HTML->ReplaceSeitenInhalt("%%email%%", htmlspecialchars($RUNTIME['OPENSIM']->getUserMail($_SESSION['UUID'])));
$HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", ""); $HTML->ReplaceSeitenInhalt("%%listAllResidentsAsJSArray%%", "");
$HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' '); $HTML->ReplaceSeitenInhalt("%%INFOMESSAGE%%", ' ');
$HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", ' '); $HTML->ReplaceSeitenInhalt("%%IARINFOMESSAGE%%", ' ');

View File

@ -62,7 +62,7 @@
{ {
$stats = getRegionStatsData($row['uuid']); $stats = getRegionStatsData($row['uuid']);
$entry = '<tr><td>'.$row['regionName'].'<div class="blockquote-footer">Prims: '.$stats['Prims'].'; RAM-Nutzung: '.$stats['ProcMem'].'; SIM/PHYS FPS: '.$stats['SimFPS'].'/'.$stats['PhyFPS'].' ('.$stats['RegionVersion'].')</div></td><td>'.$RUNTIME['OPENSIM']->getUserName($row['owner_uuid']).'</td><td>'.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'</td><td><a href="index.php?page=regions&action=remove&region='.$row['uuid'].'">LÖSCHEN</a></td></tr>'; $entry = '<tr><td>'.htmlspecialchars($row['regionName']).'<div class="blockquote-footer">Prims: '.$stats['Prims'].'; RAM-Nutzung: '.$stats['ProcMem'].'; SIM/PHYS FPS: '.$stats['SimFPS'].'/'.$stats['PhyFPS'].' ('.$stats['RegionVersion'].')</div></td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($row['owner_uuid'])).'</td><td>'.fillString(($row['locX'] / 256), 4).' / '.fillString(($row['locY'] / 256), 4).'</td><td><a href="index.php?page=regions&action=remove&region='.$row['uuid'].'">LÖSCHEN</a></td></tr>';
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
} }

View File

@ -7,7 +7,7 @@
$HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message); $HTML->ReplaceLayoutInhalt("%%MESSAGE%%", $message);
$HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] ); $HTML->ReplaceLayoutInhalt("%%tosURL%%", $RUNTIME['TOOLS']['TOS'] );
$HTML->ReplaceLayoutInhalt("%%INVCODE%%", $_REQUEST['code']); $HTML->ReplaceLayoutInhalt("%%INVCODE%%", htmlspecialchars($_REQUEST['code']));
$HTML->build(); $HTML->build();
echo $HTML->ausgabe(); echo $HTML->ausgabe();

View File

@ -11,7 +11,7 @@
{ {
if($row['RegionID'] != "00000000-0000-0000-0000-000000000000") if($row['RegionID'] != "00000000-0000-0000-0000-000000000000")
{ {
$entry = '<tr><td>'.trim($RUNTIME['OPENSIM']->getUserName($row['UserID'])).'</td><td>'.$RUNTIME['OPENSIM']->getRegionName($row['RegionID']).'</td></tr>'; $entry = '<tr><td>'.htmlspecialchars(trim($RUNTIME['OPENSIM']->getUserName($row['UserID']))).'</td><td>'.htmlspecialchars($RUNTIME['OPENSIM']->getRegionName($row['RegionID'])).'</td></tr>';
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
} }
} }

View File

@ -26,7 +26,7 @@
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID');
$statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]); $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.$RUNTIME['OPENSIM']->getUserName($_REQUEST['userid']).' wurde geändert. Das neue Passwort ist <b>'.$NEWPW.'</b></div>'); $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($RUNTIME['OPENSIM']->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>');
} }
$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))"); $statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))");
@ -50,7 +50,7 @@
while($row = $statement->fetch()) while($row = $statement->fetch())
{ {
$entry = '<tr><td>'.$row['FirstName'].'</td><td>'.$row['LastName'].'</td><td>'.$row['UserLevel'].'</td><td><a href="index.php?page=users&action=genpw&userid='.$row['PrincipalID'].'">PASSWORT ÄNDERN</a></td></tr>'; $entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><a href="index.php?page=users&action=genpw&userid='.htmlspecialchars($row['PrincipalID']).'">PASSWORT ÄNDERN</a></td></tr>';
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
} }

View File

@ -7,6 +7,6 @@
if(@$_SESSION['LEVEL'] > 100) if(@$_SESSION['LEVEL'] > 100)
$HTML->importHTML("style/default/dashboard-admin.html"); $HTML->importHTML("style/default/dashboard-admin.html");
$HTML->ReplaceLayoutInhalt("%%USERNAME%%", @$_SESSION['DISPLAYNAME']); $HTML->ReplaceLayoutInhalt("%%USERNAME%%", htmlspecialchars(@$_SESSION['DISPLAYNAME']));
} }
?> ?>