diff --git a/pool/base.php b/pool/base.php
index afa6e4cc..4f94e55f 100644
--- a/pool/base.php
+++ b/pool/base.php
@@ -18,6 +18,16 @@ function adddbg($str)
}
}
#
+function sq($str)
+{
+ return str_replace("'", "\\'", $str);
+}
+#
+function dq($str)
+{
+ return str_replace('"', "\\\"", $str);
+}
+#
function howlongago($sec)
{
if ($sec < 60)
diff --git a/pool/page.php b/pool/page.php
index db93a9bc..0b3c633f 100644
--- a/pool/page.php
+++ b/pool/page.php
@@ -315,10 +315,15 @@ function pgtop($info, $dotop, $user, $douser)
}
else
{
- if (substr($who, 0, 1) == '1' && strlen($who) > 12)
- $who = substr($who, 0, 11) . '…';
+ $extra = '';
+ $first = substr($who, 0, 1);
+ if (($first == '1' || $first == '3') && strlen($who) > 12)
+ {
+ $who = substr($who, 0, 11);
+ $extra = '…';
+ }
$top .= "
-$who
+".htmlspecialchars($who)."$extra
Hash Rate:
$uhr/$u1hr";
$top .= makeForm('')."
diff --git a/pool/page_blocks.php b/pool/page_blocks.php
index bf97a8e3..9110e5aa 100644
--- a/pool/page_blocks.php
+++ b/pool/page_blocks.php
@@ -111,7 +111,7 @@ function doblocks($data, $user)
$pg .= "";
$pg .= "| $hifld | ";
- $pg .= "".$ans['workername:'.$i].' | ';
+ $pg .= "".htmlspecialchars($ans['workername:'.$i]).' | ';
$pg .= "".btcfmt($ans['reward:'.$i]).' | ';
$pg .= "".gmdate('Y-m-d H:i:s+00', $ans['firstcreatedate:'.$i]).' | ';
$pg .= "".$stat.' | ';
diff --git a/pool/page_settings.php b/pool/page_settings.php
index 852e3f1a..da99a97b 100644
--- a/pool/page_settings.php
+++ b/pool/page_settings.php
@@ -18,7 +18,7 @@ function settings($data, $user, $email, $addr, $err)
$pg .= '
| ';
$pg .= 'EMail:';
$pg .= ' | ';
- $pg .= "";
+ $pg .= "";
$pg .= ' |
';
$pg .= '| ';
$pg .= 'Password:';
@@ -41,7 +41,7 @@ function settings($data, $user, $email, $addr, $err)
$pg .= ' |
| ';
$pg .= 'BTC Address:';
$pg .= ' | ';
- $pg .= "";
+ $pg .= "";
$pg .= ' |
';
$pg .= '| ';
$pg .= 'Password:';
diff --git a/pool/page_stats.php b/pool/page_stats.php
index ede9f6d5..203de795 100644
--- a/pool/page_stats.php
+++ b/pool/page_stats.php
@@ -84,7 +84,7 @@ function dostats($data, $user)
$row = 'odd';
$pg .= " |
";
- $pg .= '| '.$all[$i]['username'].' | ';
+ $pg .= ''.htmlspecialchars($all[$i]['username']).' | ';
$uhr = $all[$i]['u_hashrate5m'];
if ($uhr == '?')
$dsp = '?GHs';
diff --git a/pool/page_userset.php b/pool/page_userset.php
index 2959e3c0..e004e7dd 100644
--- a/pool/page_userset.php
+++ b/pool/page_userset.php
@@ -30,7 +30,9 @@ function uset($data, $user, $api, $err)
$pg .= '
| |
';
$pg .= '| You can access the API via:';
$pg .= ' |
';
- $pg .= "/index.php?k=api&username=$user&api=$api&json=y
";
+ $pg .= "/index.php?k=api&username=";
+ $pg .= htmlspecialchars(urlencode($user));
+ $pg .= "&api=$api&json=y
";
$pg .= ' |
';
}
$pg .= '';
diff --git a/pool/page_workers.php b/pool/page_workers.php
index 3157703d..9f2d92fc 100644
--- a/pool/page_workers.php
+++ b/pool/page_workers.php
@@ -41,7 +41,7 @@ function workuser($data, $user, &$offset, &$totshare, &$totdiff,
$row = 'odd';
$pg .= "";
- $pg .= '| '.$ans['workername:'.$i].' | ';
+ $pg .= ''.htmlspecialchars($ans['workername:'.$i]).' | ';
if ($ans['w_lastdiff:'.$i] > 0)
$ld = difffmt($ans['w_lastdiff:'.$i]);
else
diff --git a/pool/page_workmgt.php b/pool/page_workmgt.php
index 585d027a..df6e8cfe 100644
--- a/pool/page_workmgt.php
+++ b/pool/page_workmgt.php
@@ -29,12 +29,13 @@ function workmgtuser($data, $user, $err)
$pg .= "
";
- $wn = $ans['workername:'.$i];
+ $wn = htmlspecialchars($ans['workername:'.$i]);
+ $wnv = sq($ans['workername:'.$i]);
$pg .= '| ';
- $pg .= "";
+ $pg .= "";
$pg .= $wn.' | ';
- $md = $ans['difficultydefault:'.$i];
+ $md = intval($ans['difficultydefault:'.$i]);
$pg .= '';
$pg .= "";
$pg .= "";
|