From 3ca9efd71cfe5e63f4d8494bc61d63fefeaa7659 Mon Sep 17 00:00:00 2001 From: pikami Date: Mon, 13 Jun 2016 12:49:13 +0000 Subject: [PATCH] Pached XSS --- MyPastes.php | 4 ++-- NewestPastes.php | 4 ++-- ViewPaste.php | 4 ++-- index.php | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/MyPastes.php b/MyPastes.php index 7fe7d6e..8f5c92c 100644 --- a/MyPastes.php +++ b/MyPastes.php @@ -21,9 +21,9 @@ if($stmt->rowCount()>0){ printf(''); while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { $title = $row['title']; - printf(''.$row["title"].''); + printf(''.htmlspecialchars($row["title"], ENT_QUOTES, 'UTF-8').''); printf(''.date('Y-m-d',$row["created"]).''); - printf(''.$row["uid"].''); + printf(''.htmlspecialchars($row["uid"], ENT_QUOTES, 'UTF-8').''); } printf(''); } else { diff --git a/NewestPastes.php b/NewestPastes.php index 8cfa522..a60f4b3 100644 --- a/NewestPastes.php +++ b/NewestPastes.php @@ -6,9 +6,9 @@ include "config/config.php"; $stmt = $conn->query('SELECT * FROM pastes WHERE exposure=0 ORDER BY id DESC LIMIT 5'); while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { - $title = $row['title']; + $title = htmlspecialchars($row['title'], ENT_QUOTES, 'UTF-8'); if(strlen($title)>25)$title = substr($title,0,25)."..."; - echo "".$title.""; + echo "".$title.""; } ?> diff --git a/ViewPaste.php b/ViewPaste.php index e16a739..d4556de 100644 --- a/ViewPaste.php +++ b/ViewPaste.php @@ -12,8 +12,8 @@ if(isset($uid)){ echo "

This paste is private

"; die(); } - echo "

".$result["title"]."

"; - echo ""; + echo "

".htmlspecialchars($result["title"], ENT_QUOTES, 'UTF-8')."

"; + echo ""; } else echo "Paste does not exist"; $conn = null; diff --git a/index.php b/index.php index 15cccf0..5023506 100644 --- a/index.php +++ b/index.php @@ -37,7 +37,7 @@ $user = GetUserByID($userID); echo '
  • - '.$user[1].' + '.htmlspecialchars($user[1], ENT_QUOTES, 'UTF-8').'