XSS flaw correction

Closes issue https://github.com/sebsauvage/Shaarli/issues/134
author: Sebastien SAUVAGE <sebsauvage@sebsauvage.net> 2013-11-29 21:53:20 +0100
committer: Sebastien SAUVAGE <sebsauvage@sebsauvage.net> 2013-11-29 21:53:20 +0100
commit: 53da201749f8f362323ef278bf338f1d9f7a925a (patch)
tree: 814919e595a1d879adc4017c2e904ede477be62a
parent: 7b2186a63e2c788f1f2622779c5a1c341117eac1 (diff)
download: Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.tar.gz
Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.tar.zst
Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.zip
1 files changed, 5 insertions, 5 deletions
diff --git a/index.php b/index.php
index 0465a4e5..884b2afd 100644
--- a/index.php
+++ b/index.php
@@ -942,7 +942,7 @@ function showRSS()
        echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))).$descriptionlink.']]></description>'."\n</item>\n";
        $i++;
    }
-    echo '</channel></rss><!-- Cached version of '.pageUrl().' -->';
+    echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
    $cache->cache(ob_get_contents());
    ob_end_flush();
@@ -1027,7 +1027,7 @@ function showATOM()
    $feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>';
    $feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do.
    $feed.=$entries;
-    $feed.='</feed><!-- Cached version of '.pageUrl().' -->';
+    $feed.='</feed><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
    echo $feed;
    $cache->cache(ob_get_contents());
@@ -1104,7 +1104,7 @@ function showDailyRSS()
        echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n";
    }
-    echo '</channel></rss><!-- Cached version of '.pageUrl().' -->';
+    echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
    $cache->cache(ob_get_contents());
    ob_end_flush();
@@ -1747,11 +1747,11 @@ function importFile()
        }
        $LINKSDB->savedb();
-        echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>';
+        echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>';
    }
    else
    {
-        echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>';
+        echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>';
    }
 }
author	Sebastien SAUVAGE <sebsauvage@sebsauvage.net>	2013-11-29 21:53:20 +0100
committer	Sebastien SAUVAGE <sebsauvage@sebsauvage.net>	2013-11-29 21:53:20 +0100
commit	53da201749f8f362323ef278bf338f1d9f7a925a (patch)
tree	814919e595a1d879adc4017c2e904ede477be62a
parent	7b2186a63e2c788f1f2622779c5a1c341117eac1 (diff)
download	Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.tar.gz Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.tar.zst Shaarli-53da201749f8f362323ef278bf338f1d9f7a925a.zip

diff --git a/index.php b/index.php index 0465a4e5..884b2afd 100644 --- a/index.php +++ b/index.php
@@ -942,7 +942,7 @@ function showRSS()
942	echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))).$descriptionlink.']]></description>'."\n</item>\n";	942	echo '<description><![CDATA['.nl2br(keepMultipleSpaces(text2clickable(htmlspecialchars($link['description'])))).$descriptionlink.']]></description>'."\n</item>\n";
943	$i++;	943	$i++;
944	}	944	}
945	echo '</channel></rss><!-- Cached version of '.pageUrl().' -->';	945	echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
946		946
947	$cache->cache(ob_get_contents());	947	$cache->cache(ob_get_contents());
948	ob_end_flush();	948	ob_end_flush();
@@ -1027,7 +1027,7 @@ function showATOM()
1027	$feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>';	1027	$feed.='<author><name>'.htmlspecialchars($pageaddr).'</name><uri>'.htmlspecialchars($pageaddr).'</uri></author>';
1028	$feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do.	1028	$feed.='<id>'.htmlspecialchars($pageaddr).'</id>'."\n\n"; // Yes, I know I should use a real IRI (RFC3987), but the site URL will do.
1029	$feed.=$entries;	1029	$feed.=$entries;
1030	$feed.='</feed><!-- Cached version of '.pageUrl().' -->';	1030	$feed.='</feed><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
1031	echo $feed;	1031	echo $feed;
1032		1032
1033	$cache->cache(ob_get_contents());	1033	$cache->cache(ob_get_contents());
@@ -1104,7 +1104,7 @@ function showDailyRSS()
1104	echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n";	1104	echo '<description><![CDATA['.$html.']]></description>'."\n</item>\n\n";
1105		1105
1106	}	1106	}
1107	echo '</channel></rss><!-- Cached version of '.pageUrl().' -->';	1107	echo '</channel></rss><!-- Cached version of '.htmlspecialchars(pageUrl()).' -->';
1108		1108
1109	$cache->cache(ob_get_contents());	1109	$cache->cache(ob_get_contents());
1110	ob_end_flush();	1110	ob_end_flush();
@@ -1747,11 +1747,11 @@ function importFile()
1747	}	1747	}
1748	$LINKSDB->savedb();	1748	$LINKSDB->savedb();
1749		1749
1750	echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>';	1750	echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) was successfully processed: '.$import_count.' links imported.");document.location=\'?\';</script>';
1751	}	1751	}
1752	else	1752	else
1753	{	1753	{
1754	echo '<script language="JavaScript">alert("File '.$filename.' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>';	1754	echo '<script language="JavaScript">alert("File '.json_encode($filename).' ('.$filesize.' bytes) has an unknown file format. Nothing was imported.");document.location=\'?\';</script>';
1755	}	1755	}
1756	}	1756	}
1757		1757