From 77d1a5a012938b20e14a972be5b67a54a8aa0d57 Mon Sep 17 00:00:00 2001
From: Bartek Fabiszewski <github@fabiszewski.net>
Date: Fri, 14 Apr 2017 16:00:53 +0200
Subject: [PATCH] Fix: html encode special characters

---
 index.php          | 10 +++++-----
 js/admin.js        |  6 +++---
 js/main.js         | 24 +++++++++++++++++++-----
 utils/download.php |  2 +-
 4 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/index.php b/index.php
index 9855869..5372e20 100755
--- a/index.php
+++ b/index.php
@@ -108,7 +108,7 @@
 
         <?php if ($user->isValid): ?>
           <div id="user_menu">
-            <a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= $user->login ?></a>
+            <a href="javascript:void(0);" onclick="userMenu()"><img class="icon" alt="<?= $lang["user"] ?>" src="images/user.svg"> <?= htmlspecialchars($user->login) ?></a>
             <div id="user_dropdown" class="dropdown">
               <a href="javascript:void(0)" onclick="changePass()"><img class="icon" alt="<?= $lang["changepass"] ?>" src="images/lock.svg"> <?= $lang["changepass"] ?></a>
               <a href="utils/logout.php"><img class="icon" alt="<?= $lang["logout"] ?>" src="images/poweroff.svg"> <?= $lang["logout"] ?></a>
@@ -125,7 +125,7 @@
               <select name="user" onchange="selectUser(this);">
                 <option value="0"><?= $lang["suser"] ?></option>
                 <?php foreach ($usersArr as $aUser): ?>
-                  <option <?= ($aUser->id == $displayUserId) ? "selected " : "" ?>value="<?= $aUser->id ?>"><?= $aUser->login ?></option>
+                  <option <?= ($aUser->id == $displayUserId) ? "selected " : "" ?>value="<?= $aUser->id ?>"><?= htmlspecialchars($aUser->login) ?></option>
                 <?php endforeach; ?>
               </select>
             </form>
@@ -137,12 +137,12 @@
           <form>
             <select name="track" onchange="selectTrack(this)">
               <?php foreach ($tracksArr as $aTrack): ?>
-                <option value="<?= $aTrack->id ?>"><?= $aTrack->name ?></option>
+                <option value="<?= $aTrack->id ?>"><?= htmlspecialchars($aTrack->name) ?></option>
               <?php endforeach; ?>
             </select>
             <input id="latest" type="checkbox" onchange="toggleLatest();"> <?= $lang["latest"] ?><br>
-            </form>
-          <input type="checkbox" onchange="autoReload();"><?= $lang["autoreload"] ?> (<a href="javascript:void(0);" onclick="setTime();"><span id="auto"><?= $config::$interval ?></span></a> s)<br>
+            <input type="checkbox" onchange="autoReload();"> <?= $lang["autoreload"] ?> (<a href="javascript:void(0);" onclick="setTime();"><span id="auto"><?= $config::$interval ?></span></a> s)<br>
+          </form>
           <a href="javascript:void(0);" onclick="loadTrack(userid, trackid, 0);"> <?= $lang["reload"] ?></a><br>
         </div>
 
diff --git a/js/admin.js b/js/admin.js
index 8fcca1a..8a8ee1e 100644
--- a/js/admin.js
+++ b/js/admin.js
@@ -33,12 +33,12 @@ function editUser() {
     alert(lang['selfeditwarn']);
     return;
   }
-  var message = '<div style="float:left">' + sprintf(lang['editinguser'], '<b>' + userLogin + '</b>') + '</div>';
+  var message = '<div style="float:left">' + sprintf(lang['editinguser'], '<b>' + htmlEncode(userLogin) + '</b>') + '</div>';
   message += '<div class="red-button"><b><a href="javascript:void(0);" onclick="submitUser(\'delete\'); return false">' + lang['deluser'] + '</a></b></div>';
   message += '<div style="clear: both; padding-bottom: 1em;"></div>';
 
   var form = '<form id="userForm" method="post" onsubmit="submitUser(\'update\'); return false">';
-  form += '<input type="hidden" name="login" value="' + userLogin + '">';
+  form += '<input type="hidden" name="login" value="' + htmlEncode(userLogin) + '">';
   form += '<label><b>' + lang['password'] + '</b></label><input type="password" placeholder="' + lang['passwordenter'] + '" name="pass" required>';
   form += '<label><b>' + lang['passwordrepeat'] + '</b></label><input type="password" placeholder="' + lang['passwordenter'] + '" name="pass2" required>';
   form += '<div class="buttons"><button type="button" onclick="removeModal()">' + lang['cancel'] + '</button><button type="submit">' + lang['submit'] + '</button></div>';
@@ -52,7 +52,7 @@ function confirmedDelete(login) {
 
 function submitUser(action) {
   var form = document.getElementById('userForm');
-  var login = form.elements['login'].value;
+  var login = form.elements['login'].value.trim();
   if (!login) {
       alert(lang['allrequired']);
       return;
diff --git a/js/main.js b/js/main.js
index d7d4688..c04fc0f 100755
--- a/js/main.js
+++ b/js/main.js
@@ -194,11 +194,11 @@ function getPopupHtml(p, i, count) {
   popup =
     '<div id="popup">' +
     '<div id="pheader">' +
-    '<div><img alt="' + lang['user'] + '" title="' + lang['user'] + '" src="images/user_dark.svg"> ' + p.username + '</div>' +
-    '<div><img alt="' + lang['track'] + '" title="' + lang['track'] + '" src="images/route_dark.svg"> ' + p.trackname + '</div>' +
+    '<div><img alt="' + lang['user'] + '" title="' + lang['user'] + '" src="images/user_dark.svg"> ' + htmlEncode(p.username) + '</div>' +
+    '<div><img alt="' + lang['track'] + '" title="' + lang['track'] + '" src="images/route_dark.svg"> ' + htmlEncode(p.trackname) + '</div>' +
     '</div>' +
     '<div id="pbody">' +
-    ((p.comments != null) ? '<div id="pcomments">' + p.comments + '</div>' : '') +
+    ((p.comments != null) ? '<div id="pcomments">' + htmlEncode(p.comments) + '</div>' : '') +
     '<div id="pleft">' +
     '<img class="icon" alt="' + lang['time'] + '" title="' + lang['time'] + '" src="images/calendar_dark.svg"> ' + date + '<br>' +
     '<img class="icon" alt="' + lang['time'] + '" title="' + lang['time'] + '" src="images/clock_dark.svg"> ' + time + '<br>' +
@@ -319,7 +319,7 @@ function fillOptions(xml) {
     var trackname = getNode(tracks[i], 'trackname');
     var option = document.createElement("option");
     option.value = trackid;
-    option.innerHTML = trackname;
+    option.innerHTML = htmlEncode(trackname);
     trackSelect.appendChild(option);
   }
   var defaultTrack = getNode(tracks[0], 'trackid');
@@ -497,4 +497,18 @@ function sprintf() {
     if (match == '%%') { return '%'; }
     return (typeof args[i] != 'undefined') ? args[i++] : match;
   });
-};
\ No newline at end of file
+};
+
+function htmlEncode(s) {
+  return s.replace(/&/g, '&amp;')
+          .replace(/"/g, '&quot;')
+          .replace(/'/g, '&#39;')
+          .replace(/</g, '&lt;')
+          .replace(/>/g, '&gt;');
+}
+
+if (!String.prototype.trim) {
+  String.prototype.trim = function () {
+    return this.replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, '');
+  };
+}
\ No newline at end of file
diff --git a/utils/download.php b/utils/download.php
index b4f9772..bc51ee9 100755
--- a/utils/download.php
+++ b/utils/download.php
@@ -131,7 +131,7 @@ if ($trackId && $userId) {
         $xml->writeAttribute("id", "point_{$position->id}");
           $description =
           "<div style=\"font-weight: bolder; padding-bottom: 10px; border-bottom: 1px solid gray;\">" .
-          "{$lang["user"]}: {$position->userLogin}<br>{$lang["track"]}: {$position->trackName}" .
+          "{$lang["user"]}: " . htmlspecialchars($position->userLogin) . "<br>{$lang["track"]}: " . htmlspecialchars($position->trackName) .
           "</div>" .
           "<div>" .
           "<div style=\"padding-top: 10px;\"><b>{$lang["time"]}:</b> {$position->time}<br>" .