From c0ccf9b8ecf0e3b97861056b15dec76e61cd2b8c Mon Sep 17 00:00:00 2001 From: kanoi Date: Sat, 18 Oct 2014 22:25:13 +1100 Subject: [PATCH] php - encode text where required to avoid messing up the html display --- pool/base.php | 10 ++++++++++ pool/page.php | 11 ++++++++--- pool/page_blocks.php | 2 +- pool/page_settings.php | 4 ++-- pool/page_stats.php | 2 +- pool/page_userset.php | 4 +++- pool/page_workers.php | 2 +- pool/page_workmgt.php | 7 ++++--- 8 files changed, 30 insertions(+), 12 deletions(-) diff --git a/pool/base.php b/pool/base.php index afa6e4cc..4f94e55f 100644 --- a/pool/base.php +++ b/pool/base.php @@ -18,6 +18,16 @@ function adddbg($str) } } # +function sq($str) +{ + return str_replace("'", "\\'", $str); +} +# +function dq($str) +{ + return str_replace('"', "\\\"", $str); +} +# function howlongago($sec) { if ($sec < 60) diff --git a/pool/page.php b/pool/page.php index db93a9bc..0b3c633f 100644 --- a/pool/page.php +++ b/pool/page.php @@ -315,10 +315,15 @@ function pgtop($info, $dotop, $user, $douser) } else { - if (substr($who, 0, 1) == '1' && strlen($who) > 12) - $who = substr($who, 0, 11) . '…'; + $extra = ''; + $first = substr($who, 0, 1); + if (($first == '1' || $first == '3') && strlen($who) > 12) + { + $who = substr($who, 0, 11); + $extra = '…'; + } $top .= " -$who  +".htmlspecialchars($who)."$extra  Hash Rate: $uhr/$u1hr"; $top .= makeForm('')." diff --git a/pool/page_blocks.php b/pool/page_blocks.php index bf97a8e3..9110e5aa 100644 --- a/pool/page_blocks.php +++ b/pool/page_blocks.php @@ -111,7 +111,7 @@ function doblocks($data, $user) $pg .= ""; $pg .= "$hifld"; - $pg .= "".$ans['workername:'.$i].''; + $pg .= "".htmlspecialchars($ans['workername:'.$i]).''; $pg .= "".btcfmt($ans['reward:'.$i]).''; $pg .= "".gmdate('Y-m-d H:i:s+00', $ans['firstcreatedate:'.$i]).''; $pg .= "".$stat.''; diff --git a/pool/page_settings.php b/pool/page_settings.php index 852e3f1a..da99a97b 100644 --- a/pool/page_settings.php +++ b/pool/page_settings.php @@ -18,7 +18,7 @@ function settings($data, $user, $email, $addr, $err) $pg .= ''; $pg .= 'EMail:'; $pg .= ''; - $pg .= ""; + $pg .= ""; $pg .= ''; $pg .= ''; $pg .= 'Password:'; @@ -41,7 +41,7 @@ function settings($data, $user, $email, $addr, $err) $pg .= ''; $pg .= 'BTC Address:'; $pg .= ''; - $pg .= ""; + $pg .= ""; $pg .= ''; $pg .= ''; $pg .= 'Password:'; diff --git a/pool/page_stats.php b/pool/page_stats.php index ede9f6d5..203de795 100644 --- a/pool/page_stats.php +++ b/pool/page_stats.php @@ -84,7 +84,7 @@ function dostats($data, $user) $row = 'odd'; $pg .= ""; - $pg .= ''.$all[$i]['username'].''; + $pg .= ''.htmlspecialchars($all[$i]['username']).''; $uhr = $all[$i]['u_hashrate5m']; if ($uhr == '?') $dsp = '?GHs'; diff --git a/pool/page_userset.php b/pool/page_userset.php index 2959e3c0..e004e7dd 100644 --- a/pool/page_userset.php +++ b/pool/page_userset.php @@ -30,7 +30,9 @@ function uset($data, $user, $api, $err) $pg .= ' '; $pg .= 'You can access the API via:'; $pg .= ''; - $pg .= "/index.php?k=api&username=$user&api=$api&json=y
"; + $pg .= "/index.php?k=api&username="; + $pg .= htmlspecialchars(urlencode($user)); + $pg .= "&api=$api&json=y
"; $pg .= ''; } $pg .= ''; diff --git a/pool/page_workers.php b/pool/page_workers.php index 3157703d..9f2d92fc 100644 --- a/pool/page_workers.php +++ b/pool/page_workers.php @@ -41,7 +41,7 @@ function workuser($data, $user, &$offset, &$totshare, &$totdiff, $row = 'odd'; $pg .= ""; - $pg .= ''.$ans['workername:'.$i].''; + $pg .= ''.htmlspecialchars($ans['workername:'.$i]).''; if ($ans['w_lastdiff:'.$i] > 0) $ld = difffmt($ans['w_lastdiff:'.$i]); else diff --git a/pool/page_workmgt.php b/pool/page_workmgt.php index 585d027a..df6e8cfe 100644 --- a/pool/page_workmgt.php +++ b/pool/page_workmgt.php @@ -29,12 +29,13 @@ function workmgtuser($data, $user, $err) $pg .= ""; - $wn = $ans['workername:'.$i]; + $wn = htmlspecialchars($ans['workername:'.$i]); + $wnv = sq($ans['workername:'.$i]); $pg .= ''; - $pg .= ""; + $pg .= ""; $pg .= $wn.''; - $md = $ans['difficultydefault:'.$i]; + $md = intval($ans['difficultydefault:'.$i]); $pg .= ''; $pg .= ""; $pg .= "";