From cf8368d8d4487477827f16e8e837a1e434cd6d87 Mon Sep 17 00:00:00 2001 From: gravel Date: Wed, 12 Apr 2023 16:57:11 +0200 Subject: [PATCH] Introduce wrapper for htmlspecialchars --- php/utils/server-utils.php | 10 ++++++++++ sites/+components/tbl_communities.php | 18 +++++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/php/utils/server-utils.php b/php/utils/server-utils.php index 5caa392..7501be2 100644 --- a/php/utils/server-utils.php +++ b/php/utils/server-utils.php @@ -118,4 +118,14 @@ return $contents; } } + + function html_sanitize( + string $str, int $flags = ENT_QUOTES|ENT_SUBSTITUTE, + ?string $encoding = null, bool $double_encode = true + ) { + if ($str == "") { + return ""; + } + return htmlspecialchars($str, $flags, $encoding, $double_encode); + } ?> diff --git a/sites/+components/tbl_communities.php b/sites/+components/tbl_communities.php index 33ef19a..a56bb02 100644 --- a/sites/+components/tbl_communities.php +++ b/sites/+components/tbl_communities.php @@ -55,16 +55,16 @@ // Escape external input. // Ternaries prevent passing null-equal strings, which produce warnings. - $id = htmlspecialchars($id); - $language = $room->language ? htmlspecialchars($room->language) : ""; - $name = htmlspecialchars($room->name); - $desc = $room->description ? htmlspecialchars($room->description) : ""; - $users = htmlspecialchars($room->active_users); - $preview_link = htmlspecialchars($room->preview_link); - $join_link = htmlspecialchars($room->join_link); + $id = html_sanitize($id); + $language = html_sanitize($room->language); + $name = html_sanitize($room->name); + $desc = html_sanitize($room->description); + $users = html_sanitize($room->active_users); + $preview_link = html_sanitize($room->preview_link); + $join_link = html_sanitize($room->join_link); // TODO: Do not forget to rename this escape when merging! - $token = htmlspecialchars($token); - $hostname = htmlspecialchars($hostname); + $token = html_sanitize($token); + $hostname = html_sanitize($hostname); ?>