Try to deal with special char

Kcchouette · Feb 10, 2019 · 52c21ca · 52c21ca
1 parent 96e12fb
commit 52c21ca
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 34 deletions.
diff --git a/TODO.md b/TODO.md
@@ -12,6 +12,11 @@
  - [ ] **Try** to use the text file listing from iroffer
  - [ ] When adding bot, ask if Website/IRC are the same than the main in the ADMIN page
 
+## Possible improvements
+
+ - [ ] Simplify `admin_action.php` and `update.php`
+ - [ ] Create a select for when creating/modifying bookmark search (for the bot selection)
+
 ## Idea
 
  - [ ] Display for example 50 number of file, else use a pagination? (cf datatables)

diff --git a/admin.php b/admin.php
@@ -50,7 +50,7 @@
 			echo "<div class=\"columns\">
 					<div class=\"column col-4 col-mx-auto\">{$_SESSION['message']}</div>
 				  </div>";
-			//header('refresh: 3;');
+			// header('refresh: 3;'); // refresh to remove the message quickly
 			unset($_SESSION['message']);
 		}
 		echo "<div>";

diff --git a/admin_action.php b/admin_action.php
@@ -42,7 +42,7 @@
 
 		if (isset($_POST['modifBot'])){
 			require_once 'xdcc.php';
-			$b = returnObject(getBotList(), $_POST['modifBot']);
+			$b = returnObject(getBotList(), htmlspecialchars($_POST['modifBot'], ENT_COMPAT));
 
 			echo "<h2>{$lang[$language]['Modify_bot']}</h2>";
 			echo "<form method=\"post\" action=\"update.php\">
@@ -74,7 +74,7 @@
 					<fieldset class=\"\">
 						<div class=\"form-group\">
 							<label class=\"form-label\" for=\"nameBot\">{$lang[$language]['Bot_name']}</label>
-							<input type=\"text\" class=\"form-input\" id=\"nameBot\" name=\"nameBot\" placeholder=\"{$lang[$language]['Bot_name']}\" required >
+							<input type=\"text\" class=\"form-input\" id=\"nameBot\" name=\"nameBot\" placeholder=\"{$lang[$language]['Bot_name']}\" required autofocus >
 						</div>
 						<div class=\"form-group\">
 							<label class=\"form-label\" for=\"xmlBot\">{$lang[$language]['Bot_xml']}</label>
@@ -95,7 +95,7 @@
 		}
 		else if (isset($_POST['modifBookmark'])){
 			require_once 'xdcc.php';
-			$b = returnObject(getBookmarkList(), $_POST['modifBookmark']);
+			$b = returnObject(getBookmarkList(), htmlspecialchars($_POST['modifBookmark'], ENT_COMPAT));
 
 			echo "<h2>{$lang[$language]['Modify_bookmark']}</h2>";
 			echo "<form method=\"post\" action=\"update.php\">
@@ -123,7 +123,7 @@
 					<fieldset class=\"\">
 						<div class=\"form-group\">
 							<label class=\"form-label\" for=\"nameBookmark\">{$lang[$language]['Bookmark_name']}</label>
-							<input type=\"text\" name=\"nameBookmark\" placeholder=\"{$lang[$language]['Bookmark_name']}\" required >
+							<input type=\"text\" name=\"nameBookmark\" placeholder=\"{$lang[$language]['Bookmark_name']}\" required autofocus >
 						</div>
 						<div class=\"form-group\">
 							<label class=\"form-label\" for=\"searchBookmark\">{$lang[$language]['Bookmark_search']}</label>

diff --git a/index.php b/index.php
@@ -118,7 +118,7 @@
 					$bookmarks = getBookmarkList();
 					echo "<ul class=\"panel-body\">";
 					foreach($bookmarks as &$b) {
-						echo "<li class=\"tile tile-centered\"><a class=\"tile-content\" href=\"?search={$b->getStringSearch()}&amp;bot=" . urlencode($b->getBotSearch()) . "\" title=\"{$b->getName()}\"><div class=\"tile-title\">{$b->getName()}</div></a></li>";
+						echo "<li class=\"tile tile-centered\"><a class=\"tile-content\" href=\"?search=" . urlencode($b->getStringSearch()) . "&amp;bot=" . urlencode($b->getBotSearch()) . "\" title=\"{$b->getName()}\"><div class=\"tile-title\">{$b->getName()}</div></a></li>";
 					}
 						echo "</ul>
 						</div>
@@ -128,7 +128,7 @@
 		</div>
 
 		<div class="column col-8 col-md-12 col-ml-auto">
-		<h2><?php require_once 'config.php'; if(!empty($_GET['bot'])) echo " &#8212; {$lang[$language]['Bot:']} <code>" . htmlspecialchars($_GET['bot']) . "</code>" . " <a href=\"syndication.php?bot=" . urldecode($_GET['bot']) . "\"> <img class=\"icon\" src=\"img/Feed_icon.svg\"></a>"; if(isset($_GET['search'])) echo " &#8212; {$lang[$language]['Search:']} <code>" . htmlspecialchars($_GET['search']) . "</code>"; ?></h2>
+		<h2><?php require_once 'config.php'; if(!empty($_GET['bot'])) echo " &#8212; {$lang[$language]['Bot:']} <code>" . htmlspecialchars($_GET['bot']) . "</code>" . " <a href=\"syndication.php?bot=" . urlencode($_GET['bot']) . "\"> <img class=\"icon\" src=\"img/Feed_icon.svg\"></a>"; if(isset($_GET['search'])) echo " &#8212; {$lang[$language]['Search:']} <code>" . htmlspecialchars($_GET['search']) . "</code>"; ?></h2>
 			<div><?php
 
 			require_once 'config.php';

diff --git a/json/data.json b/json/data.json
@@ -1 +1 @@
-[{"name":"&quot;Botname","xml":"..\/mybot.xml","website":"http:\/\/test.fr","irc":"irc:\/\/irc.irc"},{"name":"'Botname","xml":"..\/mybot.xml","website":"http:\/\/test.fr","irc":"irc:\/\/irc.irc"}]
+[{"name":"Botname","xml":"..\/mybot.xml","website":"http:\/\/test.fr","irc":"irc:\/\/irc.irc"}]
diff --git a/update.php b/update.php
@@ -1,4 +1,4 @@
-<?php //start before HTML code
+<?php // start before HTML code
 session_start();
 
 require_once 'config.php';
@@ -7,9 +7,9 @@
 
 // BOT
 if (isset($_POST['isCreateBot'])) {
-	insertBot(new Bot($_POST['nameBot'], $_POST['xmlBot'], $_POST['websiteBot'], $_POST['ircBot']));
+	insertBot(new Bot(htmlspecialchars($_POST['nameBot'], ENT_COMPAT), $_POST['xmlBot'], $_POST['websiteBot'], $_POST['ircBot']));
 
-	$_SESSION['message'] = "<div class=\"msg\">
+	$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$_POST['nameBot']} {$lang[$language]['msg_add']}</p>
 							</div>";
 
@@ -22,10 +22,10 @@
 }
 else if (isset($_POST['isModifBot'])) {
 
-	removeBot($_POST['isModifBot']);
-	insertBot(new Bot($_POST['nameBot'], $_POST['xmlBot'], $_POST['websiteBot'], $_POST['ircBot']));
+	removeBot(htmlspecialchars($_POST['isModifBot'], ENT_COMPAT));
+	insertBot(new Bot(htmlspecialchars($_POST['nameBot'], ENT_COMPAT), $_POST['xmlBot'], $_POST['websiteBot'], $_POST['ircBot']));
 
-	$_SESSION['message'] = "<div class=\"msg\">
+	$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$_POST['isModifBot']} {$lang[$language]['msg_modify']}</p>
 							</div>";
 
@@ -37,8 +37,8 @@
 	header ('location: admin.php');
 }
 else if (isset($_POST['rmBot'])) {
-	removeBot($_POST['rmBot']);
-	$_SESSION['message'] = "<div class=\"msg\">
+	removeBot(htmlspecialchars($_POST['rmBot'], ENT_COMPAT));
+	$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$_POST['rmBot']} {$lang[$language]['msg_remove']}</p>
 							</div>";
 
@@ -47,9 +47,9 @@
 }
 // BOOKMARK
 else if (isset($_POST['isCreateBookmark'])) {
-	insertBookmark(new Bookmark($_POST['nameBookmark'], $_POST['searchBookmark'], $_POST['botBookmark']));
+	insertBookmark(new Bookmark(htmlspecialchars($_POST['nameBookmark'], ENT_COMPAT), htmlspecialchars($_POST['searchBookmark'], ENT_COMPAT), htmlspecialchars($_POST['botBookmark'], ENT_COMPAT)));
 
-	$_SESSION['message'] = "<div class=\"msg\">
+	$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$_POST['nameBookmark']} {$lang[$language]['msg_add']}</p>
 							</div>";
 
@@ -61,10 +61,10 @@
 }
 else if (isset($_POST['isModifBookmark'])) {
 
-	removeBookmark($_POST['isModifBookmark']);
-	insertBookmark(new Bookmark($_POST['nameBookmark'], $_POST['searchBookmark'], $_POST['botBookmark']));
+	removeBookmark(htmlspecialchars($_POST['isModifBookmark'], ENT_COMPAT));
+	insertBookmark(new Bookmark(htmlspecialchars($_POST['nameBookmark'], ENT_COMPAT), htmlspecialchars($_POST['searchBookmark'], ENT_COMPAT), htmlspecialchars($_POST['botBookmark'], ENT_COMPAT)));
 
-	$_SESSION['message'] = "<div class=\"msg\">
+	$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$_POST['isModifBookmark']} {$lang[$language]['msg_modify']}</p>
 							</div>";
 
@@ -75,8 +75,8 @@
 	header ('location: admin.php');
 }
 else if (isset($_POST['rmBookmark'])) {
-	removeBookmark($_POST['rmBookmark']);
-	$_SESSION['message'] = "<div class=\"msg\">
+	removeBookmark(htmlspecialchars($_POST['rmBookmark'], ENT_COMPAT));
+	$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$_POST['rmBookmark']} {$lang[$language]['msg_remove']}</p>
 							</div>";
 
@@ -85,10 +85,10 @@
 }
 // OTHER
 else if (isset($_POST['export_ddl'])) {
-	$xml = haveXMLfile(searchBotXMLFile(getBotList(), $_POST['export_ddl']));
+	$xml = haveXMLfile(searchBotXMLFile(getBotList(), htmlspecialchars($_POST['export_ddl'], ENT_COMPAT)));
 
 	header('Content-Type: text/csv');
-	header('Content-Disposition: attachment; filename="' . $_POST['export_ddl'] . '.csv"');
+	header('Content-Disposition: attachment; filename="' . htmlspecialchars($_POST['export_ddl'], ENT_COMPAT) . '.csv"');
 	echo "\xEF\xBB\xBF"; // UTF-8 BOM
 
 	$line = 0;
@@ -150,23 +150,23 @@
 
 	if ($target_file === databaseBotNameFile() && pathinfo($target_file, PATHINFO_EXTENSION) === 'json') {
 		if(file_exists(databaseBotFullFile())) {
-			unlink(databaseBotFullFile()); //remove the file
+			unlink(databaseBotFullFile()); // remove the file
 		}
 		if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], databaseBotFullFile())) {
-			$_SESSION['message'] = "<div class=\"msg\">
+			$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$lang[$language]['Upload_file']}</p>
 							</div>";
 		 }
 		 else {
-		 	$_SESSION['message'] = "<div class=\"msg msg-error\">
+		 	$_SESSION['message'] = "<div class=\"text-error\">
 								<p>{$lang[$language]['Upload_file_fail']}</p>
 							</div>";
 		 }
 
 
 	}
 	else {
-		$_SESSION['message'] = "<div class=\"msg msg-warning\">
+		$_SESSION['message'] = "<div class=\"text-warning\">
 								<p>{$lang[$language]['Upload_file_fail_name']}</p>
 							</div>";
 	}
@@ -181,23 +181,23 @@
 
 	if ($target_file === databaseBookmarkNameFile() && pathinfo($target_file, PATHINFO_EXTENSION) === 'json') {
 		if(file_exists(databaseBookmarkFullFile())) {
-			unlink(databaseBookmarkFullFile()); //remove the file
+			unlink(databaseBookmarkFullFile()); // remove the file
 		}
 		if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], databaseBookmarkFullFile())) {
-			$_SESSION['message'] = "<div class=\"msg\">
+			$_SESSION['message'] = "<div class=\"text-success\">
 								<p>{$lang[$language]['Upload_file']}</p>
 							</div>";
 		 }
 		 else {
-		 	$_SESSION['message'] = "<div class=\"msg msg-error\">
+		 	$_SESSION['message'] = "<div class=\"text-error\">
 								<div>{$lang[$language]['Upload_file_fail']}</div>
 							</div>";
 		 }
 
 
 	}
 	else {
-		$_SESSION['message'] = "<div class=\"msg msg-warning\">
+		$_SESSION['message'] = "<div class=\"text-warning\">
 								<p>$target_file</p>
 							</div>";
 	}

diff --git a/xdcc.php b/xdcc.php
@@ -139,7 +139,7 @@ function searchBotList($xml, $bot, $search = null, $onBot = true) {
 	$dom = "";
 	foreach($xml->packlist->pack as $p) {
 		if ($search === null || stripos($p->packname, $search) !== false) {
-			$dom .= "<tbody><tr title=\"$bot &#x2014; {$p->packname}\" onclick=\"javascript:paste(\'$bot\', {$p->packnr});\">";
+			$dom .= "<tbody><tr title=\"$bot &#x2014; {$p->packname}\" onclick=\"javascript:paste('$bot', {$p->packnr});\">";
 			if (!$onBot)
 				$dom .= "<td class=\"text-center\">$bot</td>";
 			$dom .= "<td class=\"text-center\">{$p->packnr}</td>";
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		[{"name":""Botname","xml":"..\/mybot.xml","website":"http:\/\/test.fr","irc":"irc:\/\/irc.irc"},{"name":"'Botname","xml":"..\/mybot.xml","website":"http:\/\/test.fr","irc":"irc:\/\/irc.irc"}]
		[{"name":"Botname","xml":"..\/mybot.xml","website":"http:\/\/test.fr","irc":"irc:\/\/irc.irc"}]