Escape inputs

This commit is contained in:
Yarmo Mackenbach 2020-07-01 15:47:14 +02:00
parent 34cb9a073c
commit 83045e10d5

View file

@ -43,7 +43,7 @@ if(is_array($match) && is_callable($match['target'])) {
case 'verifyUid': case 'verifyUid':
case 'verifyHKP': case 'verifyHKP':
$content = file_get_contents('pages/verify.html'); $content = file_get_contents('pages/verify.html');
$content = str_replace('%HKP_UID%', (array_key_exists('uid', $match['params']) ? $match['params']['uid'] : ''), $content); $content = str_replace('%HKP_UID%', (array_key_exists('uid', $match['params']) ? htmlspecialchars($match['params']['uid']) : ''), $content);
$content = str_replace('%WKD_UID%', '', $content); $content = str_replace('%WKD_UID%', '', $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
@ -52,7 +52,7 @@ if(is_array($match) && is_callable($match['target'])) {
case 'verifyWKD': case 'verifyWKD':
$content = file_get_contents('pages/verify.html'); $content = file_get_contents('pages/verify.html');
$content = str_replace('%HKP_UID%', '', $content); $content = str_replace('%HKP_UID%', '', $content);
$content = str_replace('%WKD_UID%', (array_key_exists('uid', $match['params']) ? $match['params']['uid'] : ''), $content); $content = str_replace('%WKD_UID%', (array_key_exists('uid', $match['params']) ? htmlspecialchars($match['params']['uid']) : ''), $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
break; break;
@ -61,7 +61,7 @@ if(is_array($match) && is_callable($match['target'])) {
case 'encryptUid': case 'encryptUid':
case 'encryptHKP': case 'encryptHKP':
$content = file_get_contents('pages/encrypt.html'); $content = file_get_contents('pages/encrypt.html');
$content = str_replace('%HKP_UID%', (array_key_exists('uid', $match['params']) ? $match['params']['uid'] : ''), $content); $content = str_replace('%HKP_UID%', (array_key_exists('uid', $match['params']) ? htmlspecialchars($match['params']['uid']) : ''), $content);
$content = str_replace('%WKD_UID%', '', $content); $content = str_replace('%WKD_UID%', '', $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
@ -70,7 +70,7 @@ if(is_array($match) && is_callable($match['target'])) {
case 'encryptWKD': case 'encryptWKD':
$content = file_get_contents('pages/encrypt.html'); $content = file_get_contents('pages/encrypt.html');
$content = str_replace('%HKP_UID%', '', $content); $content = str_replace('%HKP_UID%', '', $content);
$content = str_replace('%WKD_UID%', (array_key_exists('uid', $match['params']) ? $match['params']['uid'] : ''), $content); $content = str_replace('%WKD_UID%', (array_key_exists('uid', $match['params']) ? htmlspecialchars($match['params']['uid']) : ''), $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
break; break;
@ -79,7 +79,7 @@ if(is_array($match) && is_callable($match['target'])) {
case 'proofsUid': case 'proofsUid':
case 'proofsHKP': case 'proofsHKP':
$content = file_get_contents('pages/proofs.html'); $content = file_get_contents('pages/proofs.html');
$content = str_replace('%HKP_UID%', (array_key_exists('uid', $match['params']) ? $match['params']['uid'] : ''), $content); $content = str_replace('%HKP_UID%', (array_key_exists('uid', $match['params']) ? htmlspecialchars($match['params']['uid']) : ''), $content);
$content = str_replace('%WKD_UID%', '', $content); $content = str_replace('%WKD_UID%', '', $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
@ -88,14 +88,14 @@ if(is_array($match) && is_callable($match['target'])) {
case 'proofsWKD': case 'proofsWKD':
$content = file_get_contents('pages/proofs.html'); $content = file_get_contents('pages/proofs.html');
$content = str_replace('%HKP_UID%', '', $content); $content = str_replace('%HKP_UID%', '', $content);
$content = str_replace('%WKD_UID%', (array_key_exists('uid', $match['params']) ? $match['params']['uid'] : ''), $content); $content = str_replace('%WKD_UID%', (array_key_exists('uid', $match['params']) ? htmlspecialchars($match['params']['uid']) : ''), $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
break; break;
case 'profile': case 'profile':
$content = file_get_contents('pages/profile.html'); $content = file_get_contents('pages/profile.html');
$content = str_replace('%UID%', $match['params']['uid'], $content); $content = str_replace('%UID%', htmlspecialchars($match['params']['uid']), $content);
$content = str_replace('%MODE%', "auto", $content); $content = str_replace('%MODE%', "auto", $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
@ -103,7 +103,7 @@ if(is_array($match) && is_callable($match['target'])) {
case 'profileHKP': case 'profileHKP':
$content = file_get_contents('pages/profile.html'); $content = file_get_contents('pages/profile.html');
$content = str_replace('%UID%', $match['params']['uid'], $content); $content = str_replace('%UID%', htmlspecialchars($match['params']['uid']), $content);
$content = str_replace('%MODE%', "hkp", $content); $content = str_replace('%MODE%', "hkp", $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
@ -111,7 +111,7 @@ if(is_array($match) && is_callable($match['target'])) {
case 'profileWKD': case 'profileWKD':
$content = file_get_contents('pages/profile.html'); $content = file_get_contents('pages/profile.html');
$content = str_replace('%UID%', $match['params']['uid'], $content); $content = str_replace('%UID%', htmlspecialchars($match['params']['uid']), $content);
$content = str_replace('%MODE%', "wkd", $content); $content = str_replace('%MODE%', "wkd", $content);
header('Content-Type: text/html; charset=utf-8'); header('Content-Type: text/html; charset=utf-8');
echo($content); echo($content);
@ -122,7 +122,7 @@ if(is_array($match) && is_callable($match['target'])) {
break; break;
case 'guideId': case 'guideId':
$id = $match['params']['id']; $id = htmlspecialchars($match['params']['id']);
$content = file_get_contents("pages/template.html"); $content = file_get_contents("pages/template.html");
$guideTitle = file_get_contents("pages/guides/$id.title.html"); $guideTitle = file_get_contents("pages/guides/$id.title.html");
$guideContent = file_get_contents("pages/guides/$id.content.html"); $guideContent = file_get_contents("pages/guides/$id.content.html");
@ -134,7 +134,7 @@ if(is_array($match) && is_callable($match['target'])) {
break; break;
case 'util': case 'util':
$id = $match['params']['id']; $id = htmlspecialchars($match['params']['id']);
readfile("pages/util/$id.html"); readfile("pages/util/$id.html");
break; break;