From bfcc39040b548cb48e607a264c7cf1048501889e Mon Sep 17 00:00:00 2001 From: Austin Date: Sat, 13 Nov 2021 22:48:13 -0500 Subject: [PATCH] mod panel security concern --- globals/functions.php | 8 ++++++++ html/MCP/chat-logs/loggedChats.php | 6 +++--- html/MCP/pendingassets.php | 4 ++-- html/MCP/reports/data/index.php | 6 +++--- html/MCP/user-management.php | 2 +- 5 files changed, 17 insertions(+), 9 deletions(-) diff --git a/globals/functions.php b/globals/functions.php index 5a3ae43..43931d1 100644 --- a/globals/functions.php +++ b/globals/functions.php @@ -6615,6 +6615,14 @@ function cleanOutput($t, $linebreaks=true) { return filterText($t); } +function cleanOutputNoFilter($t, $linebreaks=true) { + $t = htmlentities($t); + if ($linebreaks) { + $t = nl2br($t); + } + return strip_tags($t, '
'); +} + //theme stuff function setTheme($theme) //sets the users theme { diff --git a/html/MCP/chat-logs/loggedChats.php b/html/MCP/chat-logs/loggedChats.php index eecdd84..727d4ec 100644 --- a/html/MCP/chat-logs/loggedChats.php +++ b/html/MCP/chat-logs/loggedChats.php @@ -74,13 +74,13 @@ foreach($messages as $message) { $userid = $message['whoSent']; $gameAssetId = $message['gameAssetId']; - $loggedMessage = $message['message']; + $loggedMessage = cleanOutputNoFilter($message['message']); $whenlogged = date("m/d/Y", $message['whenSent']); $loggedMessages = array( "userid" => $userid, - "username" => getUsername($userid), + "username" => cleanOutputNoFilter(getUsername($userid)), "thumbnail" => getPlayerRender($userid), - "placeName" => getAssetInfo($gameAssetId)->Name, + "placeName" => cleanOutputNoFilter(getAssetInfo($gameAssetId)->Name), "placeId" => $gameAssetId, "message" => $loggedMessage, "date" => $whenlogged diff --git a/html/MCP/pendingassets.php b/html/MCP/pendingassets.php index e30dd5e..be78f3f 100644 --- a/html/MCP/pendingassets.php +++ b/html/MCP/pendingassets.php @@ -61,8 +61,8 @@ foreach($assets as $asset) $assetid = $asset['id']; $creatorid = $asset['CreatorId']; $assettypeid = $asset['AssetTypeId']; - $name = cleanOutput($asset['Name']); - $desc = cleanOutput($asset['Description']); //description of the game + $name = cleanOutputNoFilter($asset['Name']); + $desc = cleanOutputNoFilter($asset['Description']); //description of the game $creatorname = getUsername($creatorid); //creator of the game username $image = ""; if ($assettypeid == 2|| $assettypeid == 11 || $assettypeid == 12) { //tshirts, shirts and pants diff --git a/html/MCP/reports/data/index.php b/html/MCP/reports/data/index.php index eae0259..7927beb 100644 --- a/html/MCP/reports/data/index.php +++ b/html/MCP/reports/data/index.php @@ -41,8 +41,8 @@ if ($validXML) { $commentdata = explode(";", $ParsedXML->comment); $abuserid = (int)filter_var($commentdata[0], FILTER_SANITIZE_NUMBER_INT); - $reportreason = (string)trim($commentdata[1]); - $reportdescription = (string)$commentdata[2]; + $reportreason = (string)cleanOutputNoFilter(trim($commentdata[1])); + $reportdescription = (string)cleanOutputNoFilter($commentdata[2]); $chats = $ParsedXML->xpath('//message'); @@ -58,7 +58,7 @@ if ($validXML) { foreach($chats as $chat) { $userid = (int)$chat['userID']; $username = (string)getUsername($userid); - $userchat = (string)$chat; + $userchat = (string)cleanOutputNoFilter($chat); $chatData = array( "username" => $username, diff --git a/html/MCP/user-management.php b/html/MCP/user-management.php index c02e2a3..5ec8466 100644 --- a/html/MCP/user-management.php +++ b/html/MCP/user-management.php @@ -85,7 +85,7 @@ if ($b->rowCount() > 0) { $banneddate = date("m/d/Y", $bannedplayer['whenBanned']); $bannedusername = getUsername($bannedplayer['uid']); - $bannedreason = cleanOutput($bannedplayer['banReason']); + $bannedreason = cleanOutputNoFilter($bannedplayer['banReason']); $bannedExpiration = (int)$bannedplayer['banExpiration']; $bannedType = (int)$bannedplayer['banType'];