Merge pull request #43 from michaelowens/xss-patches

Patch several xss vulnerabilities
Quackster · Feb 2, 2024 · 5a7c422 · 5a7c422
2 parents afeed4f + 5c5c774
commit 5a7c422
Show file tree

Hide file tree

Showing 9 changed files with 28 additions and 6 deletions.
diff --git a/Havana-Web/src/main/java/org/alexdev/http/controllers/site/TagController.java b/Havana-Web/src/main/java/org/alexdev/http/controllers/site/TagController.java
@@ -115,7 +115,7 @@ private static void respondWithSearch(WebConnection webConnection, String tag, i
             boolean isValidTag = temporaryTag != null;
 
             if (isValidTag) {
-                tpl.set("tagSearchAdd", " <p id=\"tag-search-add\" class=\"clearfix\"><span style=\"float:left\">Tag yourself with:</span> <a id=\"tag-search-tag-add\" href=\"#\" class=\"new-button\" style=\"float:left\" onclick=\"TagHelper.addThisTagToMe('" + tag + "',false);return false;\"><b>" + tag + "</b><i></i></a></p>\n");
+                tpl.set("tagSearchAdd", tag);
             }
         }
 

diff --git a/tools/www-tpl/default-en/base/tag_search.tpl b/tools/www-tpl/default-en/base/tag_search.tpl
@@ -8,12 +8,20 @@
 			{% else %}
 				<p class="search-result-count">{{ pageId }} - {{ totalTagUsers|length }} / {{ totalCount }}</p>
 			{% endif %}
-			{{ tagSearchAdd }}
+			{% autoescape 'html' %}
+			{% if tagSearchAdd != "" %}
+			<p id="tag-search-add" class="clearfix">
+				<span style="float:left">Tag yourself with:</span>
+				<a id="tag-search-tag-add" href="#" class="new-button" style="float:left" onclick="TagHelper.addThisTagToMe('{{ tagSearchAdd | replace({"'": "\'"}) }}',false);return false;">
+					<b>{{ tagSearchAdd }}</b>
+					<i></i>
+				</a>
+			</p>
+			{% endif %}
 			<p class="search-result-divider"></p>
 
 			<table border="0" cellpadding="0" cellspacing="0" width="100%" class="search-result">
 				<tbody>
-				{% autoescape 'html' %}
 				{% set num = 0 %}
 				{% if tagList.size() > 0 %}
 				{% for habboTag in tagList %}
@@ -61,9 +69,9 @@
 				</tr>
 				{% endfor %}
 				{% endif %}
-				{% endautoescape %}
 				</tbody>
 			</table>
+			{% endautoescape %}
 			<p class="search-result-navigation">
 			{% if showFirst %}
 			<a href="{{ site.sitePath }}/tag/{{ tag }}?pageNumber={{ showFirstPage }}"><<</a>

diff --git a/tools/www-tpl/default-en/community.tpl b/tools/www-tpl/default-en/community.tpl
@@ -322,7 +322,9 @@ var discussionMoreDataHelper = new MoreDataHelper("discussions-toggle-more-data-
 						{% endif %}
 
                         {{ site.siteName }} created on: {{ habbo.getCreatedAt() }}
+												{% autoescape 'html' %}
                             <p class="motto">{{ habbo.getMotto() }}</p>
+												{% endautoescape %}
                     </div>
                 </div>
                 <input type="hidden" id="active-habbo-url-{{ num }}" value="{{ site.sitePath }}/home/{{ habbo.getName() }}"/>

diff --git a/tools/www-tpl/default-en/groups/discussions/opentopicsettings.tpl b/tools/www-tpl/default-en/groups/discussions/opentopicsettings.tpl
@@ -4,7 +4,9 @@
 	    		<span class="topic-name-text" id="topic_name_text">Topic: (max 32 characters)</span>
 	    	</div>
 	    	<div class="topic-name-input">
+				{% autoescape 'html' %}
 	    		<input type="text" size="38" maxlength="32" name="topic_name" id="topic_name" onKeyUp="GroupUtils.validateGroupElements('topic_name', 32, 'myhabbo.topic.name.max.length.exceeded');" value="{{ topic.getTopicTitle() }}"/>
+				{% endautoescape %}
 			</div>
             <div id="topic-name-error"></div>
             <div id="topic_name_message_error" class="error"></div>

diff --git a/tools/www-tpl/default-en/groups/habblet/group_settings.tpl b/tools/www-tpl/default-en/groups/habblet/group_settings.tpl
@@ -9,7 +9,9 @@
         <div id="group-name-area">
           <div id="group_name_message_error" class="error"></div>
           <label for="group_name" id="group_name_text">Edit group name:</label>
+          {% autoescape 'html' %}
           <input type="text" name="group_name" id="group_name" onKeyUp="GroupUtils.validateGroupElements('group_name', 30, 'Maximum Group name length reached');" value="{{ group.getName }}"/><br />
+          {% endautoescape %}
         </div>
 
         <div id="group-url-area">
@@ -135,6 +137,7 @@
         <ul>
           <li><input type="radio" name="roomId" value="" {% if group.getRoomId() == 0 %}checked="checked" {% endif %}/><div>No room</div></li>
 
+    {% autoescape 'html' %}
 		{% set num = 0 %}
 		{% for room in rooms %}
 			{% if num % 2 == 0 %}
@@ -152,6 +155,7 @@
           </li>
 		  {% set num = num + 1 %}
 		  {% endfor %}
+      {% endautoescape %}
         </ul>
       </div>
     </div>

diff --git a/tools/www-tpl/default-en/homes/editor/search.tpl b/tools/www-tpl/default-en/homes/editor/search.tpl
@@ -1,6 +1,7 @@
 <ul>
 	<li>Click on link below to insert it into the document</li>
 
+	{% autoescape 'html' %}
 	{% for kvp in querySearch %}
 		{% set key = kvp.getKey() %}
 		{% set value = kvp.getValue() %}
@@ -9,6 +10,7 @@
     	value="{{ value }}" title="{{ key }}">{{ key }}</a></li>
 
 	{% endfor %}
+	{% endautoescape %}
 
 
 </ul>
diff --git a/tools/www-tpl/default-en/homes/widget/groups_widget.tpl b/tools/www-tpl/default-en/homes/widget/groups_widget.tpl
@@ -23,12 +23,12 @@ You are not a member of any Groups</div>
 <div class="groups-list-container">
 <ul class="groups-list">
 
+{% autoescape 'html' %}
 {% for group in groupsList %}
 <li title="{{ group.getName() }}" id="groups-list-{{ sticker.getId() }}-{{ group.getId() }}">
 		<div class="groups-list-icon"><a href="{{ group.generateClickLink() }}"><img src="{{ site.sitePath }}/habbo-imaging/badge/{{ group.getBadge() }}.gif"/></a></div>
 		<div class="groups-list-open"></div>
 		<h4>
-		{% autoescape 'html' %}
 		<a href="{{ group.generateClickLink() }}">{{ group.getName() }}</a>
 				</h4>
 		<p>
@@ -47,9 +47,9 @@ You are not a member of any Groups</div>
 		{% endif %}
 		</p>
 		<div class="clear"></div>
-		{% endautoescape %}
 	</li>
 {% endfor %}
+{% endautoescape %}
 
 </ul></div>
 		{% endif %}

diff --git a/tools/www-tpl/default-en/housekeeping/dashboard.tpl b/tools/www-tpl/default-en/housekeeping/dashboard.tpl
@@ -91,7 +91,9 @@
                   <td><a href="{{ site.sitePath }}/{{ site.housekeepingPath }}/users/edit?id={{ player.id }}">{{ player.name }}</a> - <a href="{{ site.sitePath }}/{{ site.housekeepingPath }}/transaction/lookup?searchQuery={{ player.getName() }}">Transactons</a></td>
 				  <td>{{ player.email }}</td>
 				  <td><img src="{{ site.sitePath }}/habbo-imaging/avatarimage?figure={{ player.figure }}&size=s"></td>
+									{% autoescape 'html' %}
                   <td>{{ player.motto }}</td>
+				 					{% endautoescape %}
                   <td>{{ player.credits }}</td>
                   <td>{{ player.pixels }}</td>
 				  <td>{{ player.formatLastOnline("dd-MM-yyyy HH:mm:ss") }}</td>

diff --git a/tools/www-tpl/default-en/housekeeping/users_edit.tpl b/tools/www-tpl/default-en/housekeeping/users_edit.tpl
@@ -4,6 +4,7 @@
      <h1 class="mt-4">Edit User</h1>
 		{% include "housekeeping/base/alert.tpl" %}
 		<p>Here you can edit user details.</p>
+		{% autoescape 'html' %}
 		<form class="table-responsive col-md-4" method="post">
 			<div class="form-group">
 				<label>Username:</label>
@@ -34,6 +35,7 @@
 				<button type="submit" class="btn btn-info">Save Details</button>
 			</div>
 		</form>
+		{% endautoescape %}
       </div>
     </div>
   </div>