Added escape method to Utils

2.0
Wruczek 6 years ago
parent a1eafee419
commit 7ac6d34e7b

@ -2,7 +2,6 @@
namespace Wruczek\TSWebsite\Utils\Language; namespace Wruczek\TSWebsite\Utils\Language;
use function htmlspecialchars;
use Wruczek\PhpFileCache\PhpFileCache; use Wruczek\PhpFileCache\PhpFileCache;
use Wruczek\TSWebsite\Utils\DatabaseUtils; use Wruczek\TSWebsite\Utils\DatabaseUtils;
use Wruczek\TSWebsite\Utils\SingletonTait; use Wruczek\TSWebsite\Utils\SingletonTait;

@ -165,13 +165,13 @@ class TemplateUtils {
} }
} else if (is_string($parameter)) { } else if (is_string($parameter)) {
// NEEDS to start with a space! // NEEDS to start with a space!
$attributes = ' integrity="' . htmlspecialchars($parameter) . '" crossorigin="anonymous"'; $attributes = ' integrity="' . Utils::escape($parameter) . '" crossorigin="anonymous"';
} }
if ($resourceType === "stylesheet") { if ($resourceType === "stylesheet") {
echo '<link rel="stylesheet" href="' . htmlspecialchars($url) . '"' . $attributes . '>'; echo '<link rel="stylesheet" href="' . Utils::escape($url) . '"' . $attributes . '>';
} else if ($resourceType === "script") { } else if ($resourceType === "script") {
echo '<script src="' . htmlspecialchars($url) . '"' . $attributes . '></script>'; echo '<script src="' . Utils::escape($url) . '"' . $attributes . '></script>';
} else { } else {
throw new \InvalidArgumentException("$resourceType is not a valid resource type"); throw new \InvalidArgumentException("$resourceType is not a valid resource type");
} }

@ -9,12 +9,21 @@ use Wruczek\TSWebsite\News\INewsStore;
/** /**
* Class Utils * Class Utils
* @package Wruczek\TSWebsite\Utils * @package Wruczek\TSWebsite\Utils
* @author Wruczek 2017 * @author Wruczek 2017 - 2019
*/ */
class Utils { class Utils {
private function __construct() {} private function __construct() {}
/**
* Escapes HTML characters with htmlspecialchars
* @param $string string String to be escaped
* @return string escaped string
*/
public static function escape($string) {
return htmlspecialchars((string) $string, ENT_QUOTES, "UTF-8");
}
/** /**
* Strips the first line from string * Strips the first line from string
* https://stackoverflow.com/a/7740485 * https://stackoverflow.com/a/7740485
@ -100,7 +109,7 @@ class Utils {
*/ */
public static function getClientIp($useCfip = null) { public static function getClientIp($useCfip = null) {
if ($useCfip === null) { if ($useCfip === null) {
$useCfip = (bool) Config::get("usingcloudflare"); $useCfip = Config::get("usingcloudflare");
} }
// If IPv6 localhost, return IPv4 localhost // If IPv6 localhost, return IPv4 localhost
@ -108,7 +117,7 @@ class Utils {
return "127.0.0.1"; return "127.0.0.1";
} }
if (!empty($_SERVER["HTTP_CF_CONNECTING_IP"]) && $useCfip) { if ($useCfip && !empty($_SERVER["HTTP_CF_CONNECTING_IP"])) {
return $_SERVER["HTTP_CF_CONNECTING_IP"]; return $_SERVER["HTTP_CF_CONNECTING_IP"];
} }

@ -4,6 +4,7 @@ namespace Wruczek\TSWebsite;
use function __get; use function __get;
use TeamSpeak3; use TeamSpeak3;
use Wruczek\TSWebsite\Utils\Utils;
class ViewerRenderer { class ViewerRenderer {
@ -77,7 +78,7 @@ EOD;
$this->add( $this->add(
$html, $html,
$this->getIcon("server_green.svg"), $this->getIcon("server_green.svg"),
htmlspecialchars($this->serverInfo["virtualserver_name"]), Utils::escape($this->serverInfo["virtualserver_name"]),
$suffixIcons $suffixIcons
); );
@ -99,8 +100,8 @@ EOD;
$path = "api/geticon.php?iconid=" . (int) $name; $path = "api/geticon.php?iconid=" . (int) $name;
} }
$ttip = $tooltip ? ' data-toggle="tooltip" title="' . htmlspecialchars($tooltip) . '"' : ""; $ttip = $tooltip ? ' data-toggle="tooltip" title="' . Utils::escape($tooltip) . '"' : "";
return '<img class="icon" src="' . $path . '" alt="' . htmlspecialchars($alt) . '"' . $ttip . '>'; return '<img class="icon" src="' . $path . '" alt="' . Utils::escape($alt) . '"' . $ttip . '>';
} }
/** /**
@ -162,7 +163,7 @@ EOD;
$channel->getId(), $channel->getId(),
$channel->isSpacer() ? "" : ' tabindex="0"', $channel->isSpacer() ? "" : ' tabindex="0"',
$channelIcon, $channelIcon,
htmlspecialchars($channelDisplayName), Utils::escape($channelDisplayName),
$suffixIcons $suffixIcons
); );
@ -222,7 +223,7 @@ EOD;
$clientName = implode(" ", $beforeName); // prefix groups $clientName = implode(" ", $beforeName); // prefix groups
$clientName .= " {$client["client_nickname"]} "; // nickname $clientName .= " {$client["client_nickname"]} "; // nickname
$clientName .= implode(" ", $afterName); // suffix groups $clientName .= implode(" ", $afterName); // suffix groups
$clientName = htmlspecialchars(trim($clientName)); // trim and sanitize $clientName = Utils::escape(trim($clientName)); // trim and sanitize
$this->add( $this->add(
$html, $html,
@ -286,7 +287,7 @@ EOD;
} }
if($client["client_away"]) { if($client["client_away"]) {
return $this->getIcon("away.svg", htmlspecialchars($client["client_away_message"]) ?: __get("VIEWER_CLIENT_AWAY")); return $this->getIcon("away.svg", Utils::escape($client["client_away_message"]) ?: __get("VIEWER_CLIENT_AWAY"));
} }
if(!$client["client_output_hardware"]) { if(!$client["client_output_hardware"]) {
@ -340,7 +341,7 @@ EOD;
// to show the group with a "broken-image" icons. // to show the group with a "broken-image" icons.
} }
$html .= $this->getIcon($icon, htmlspecialchars($group["name"])); $html .= $this->getIcon($icon, Utils::escape($group["name"]));
} }
if($client["client_icon_id"]) { if($client["client_icon_id"]) {

@ -4,6 +4,7 @@ use Wruczek\TSWebsite\Config;
use Wruczek\TSWebsite\ServerIconCache; use Wruczek\TSWebsite\ServerIconCache;
use Wruczek\TSWebsite\Utils\CsrfUtils; use Wruczek\TSWebsite\Utils\CsrfUtils;
use Wruczek\TSWebsite\Utils\Language\LanguageUtils; use Wruczek\TSWebsite\Utils\Language\LanguageUtils;
use Wruczek\TSWebsite\Utils\Utils;
session_name("tswebsite_sessionid"); session_name("tswebsite_sessionid");
@ -71,7 +72,7 @@ if(!isset($_SESSION["userlanguageid"])) {
try { try {
return LanguageUtils::i()->translate($identifier, $args); return LanguageUtils::i()->translate($identifier, $args);
} catch (\Exception $e) { } catch (\Exception $e) {
return "(unknown translation for " . htmlspecialchars($identifier) . ")"; return "(unknown translation for " . Utils::escape($identifier) . ")";
} }
} }
} }

Loading…
Cancel
Save