php - encode text where required to avoid messing up the html display

pool/base.php

@@ -18,6 +18,16 @@ function adddbg($str)
  }
 }
 #
+function sq($str)
+{
+ return str_replace("'", "\\'", $str);
+}
+#
+function dq($str)
+{
+ return str_replace('"', "\\\"", $str);
+}
+#
 function howlongago($sec)
 {
  if ($sec < 60)

pool/page.php

@@ -315,10 +315,15 @@ function pgtop($info, $dotop, $user, $douser)
 		}
 		else
 		{
-			if (substr($who, 0, 1) == '1' && strlen($who) > 12)
+			$extra = '';
-				$who = substr($who, 0, 11) . '…';
+			$first = substr($who, 0, 1);
+			if (($first == '1' || $first == '3') && strlen($who) > 12)
+			{
+				$who = substr($who, 0, 11);
+				$extra = '…';
+			}
 			$top .= "
-<span class=topwho>$who&nbsp;</span>
+<span class=topwho>".htmlspecialchars($who)."$extra&nbsp;</span>
 <span class=topdes>Hash Rate:</span>
 <span class=topdat>$uhr/$u1hr</span>";
 			$top .= makeForm('')."

pool/page_blocks.php

@@ -111,7 +111,7 @@ function doblocks($data, $user)
 
 		$pg .= "<tr class=$row>";
 		$pg .= "<td class=dl$ex>$hifld</td>";
-		$pg .= "<td class=dl$ex>".$ans['workername:'.$i].'</td>';
+		$pg .= "<td class=dl$ex>".htmlspecialchars($ans['workername:'.$i]).'</td>';
 		$pg .= "<td class=dr$ex>".btcfmt($ans['reward:'.$i]).'</td>';
 		$pg .= "<td class=dl$ex>".gmdate('Y-m-d H:i:s+00', $ans['firstcreatedate:'.$i]).'</td>';
 		$pg .= "<td class=dr$ex>".$stat.'</td>';

pool/page_settings.php

@@ -18,7 +18,7 @@ function settings($data, $user, $email, $addr, $err)
  $pg .= '<tr class=dc><td class=dr>';
  $pg .= 'EMail:';
  $pg .= '</td><td class=dl>';
- $pg .= "<input type=text name=email value='$email' size=20>";
+ $pg .= "<input type=text name=email value='".sq($email)."' size=20>";
  $pg .= '</td></tr>';
  $pg .= '<tr class=dc><td class=dr>';
  $pg .= 'Password:';
@@ -41,7 +41,7 @@ function settings($data, $user, $email, $addr, $err)
  $pg .= '<tr class=dc><td class=dr>';
  $pg .= 'BTC Address:';
  $pg .= '</td><td class=dl>';
- $pg .= "<input type=text name=baddr value='$addr' size=42>";
+ $pg .= "<input type=text name=baddr value='".sq($addr)."' size=42>";
  $pg .= '</td></tr>';
  $pg .= '<tr class=dc><td class=dr>';
  $pg .= 'Password:';

pool/page_stats.php

@@ -84,7 +84,7 @@ function dostats($data, $user)
 			$row = 'odd';
 
 		$pg .= "<tr class=$row>";
-		$pg .= '<td class=dl>'.$all[$i]['username'].'</td>';
+		$pg .= '<td class=dl>'.htmlspecialchars($all[$i]['username']).'</td>';
 		$uhr = $all[$i]['u_hashrate5m'];
 		if ($uhr == '?')
 			$dsp = '?GHs';

pool/page_userset.php

@@ -30,7 +30,9 @@ function uset($data, $user, $api, $err)
 	$pg .= '<tr class=dc><td>&nbsp;</td></tr>';
 	$pg .= '<tr class=dc><td>You can access the API via:';
 	$pg .= '</td></tr><tr class=dc><td>';
-	$pg .= "<span class=hil>/index.php?k=api&username=$user&api=$api&json=y</span><br>";
+	$pg .= "<span class=hil>/index.php?k=api&username=";
+	$pg .= htmlspecialchars(urlencode($user));
+	$pg .= "&api=$api&json=y</span><br>";
 	$pg .= '</td></tr>';
  }
  $pg .= '</table></form>';

pool/page_workers.php

@@ -41,7 +41,7 @@ function workuser($data, $user, &$offset, &$totshare, &$totdiff,
 			$row = 'odd';
 
 		$pg .= "<tr class=$row>";
-		$pg .= '<td class=dl>'.$ans['workername:'.$i].'</td>';
+		$pg .= '<td class=dl>'.htmlspecialchars($ans['workername:'.$i]).'</td>';
 		if ($ans['w_lastdiff:'.$i] > 0)
 			$ld = difffmt($ans['w_lastdiff:'.$i]);
 		else

pool/page_workmgt.php

@@ -29,12 +29,13 @@ function workmgtuser($data, $user, $err)
 
 		$pg .= "<tr class=$row>";
 
-		$wn = $ans['workername:'.$i];
+		$wn = htmlspecialchars($ans['workername:'.$i]);
+		$wnv = sq($ans['workername:'.$i]);
 		$pg .= '<td class=dl>';
-		$pg .= "<input type=hidden name='workername:$i' value='$wn'>";
+		$pg .= "<input type=hidden name='workername:$i' value='$wnv'>";
 		$pg .= $wn.'</td>';
 
-		$md = $ans['difficultydefault:'.$i];
+		$md = intval($ans['difficultydefault:'.$i]);
 		$pg .= '<td class=dr>';
 		$pg .= "<input type=text size=6 name='difficultydefault:$i' value='$md'>";
 		$pg .= "<input type=submit name=OK value=OK>";