LBRYFoundation/lbry.com
1
0
Fork 0
mirror of https://github.com/LBRYFoundation/lbry.com.git synced 2025-08-23 17:47:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix xss

Browse source
This commit is contained in:
maximest-pierre 2018-03-22 09:47:00 -04:00
parent 376874dbab
commit 23d309dc54
5 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
controller/Request.class.php
View file

@ -155,4 +155,8 @@ class Request
return preg_match('/(' . join('|', $bots) . ')/i', static::getUserAgent());
}
//Method that encode html tags to special character
public static function encodeStringFromUser($string){
return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}
}

2
controller/action/AcquisitionActions.class.php
View file

@ -62,8 +62,6 @@ class AcquisitionActions extends Actions
if ($desired_lbry_channel_name_is_valid) {
$token = LBRY::connectYoutube($desired_lbry_channel_name);
var_dump($token);
var_dump($desired_lbry_channel_name);
if ($token['success'] == false) {
Controller::redirect('/youtube?error=true&error_message=' . $token['error']);
}

2
view/template/acquisition/youtube.php
View file

@ -43,7 +43,7 @@ Response::setMetaDescription("Put your content on the blockchain, experience tru
<div class="content">
<?php
if (isset($_GET['error']) && $_GET['error_message']): echo "<div>" . "The following error occurred: ". $_GET['error_message'] . " For support please send an email to hello@lbry.io" . "</div>";
if ($error_message): echo "<div>" . "The following error occurred: ". $error_message . " For support please send an email to hello@lbry.io" . "</div>";
endif;?>
<div class="zigzag"></div>
<h1>Create on a stable platform. For real this time.</h1>

7
view/template/acquisition/youtube_edit.php
View file

@ -1,11 +1,10 @@
<?php
$status_token = $_POST['status_token'];
$channel_name = $_POST['new_preferred_channel'];
$email = $_POST['new_email'];
$status_token = Request::encodeStringFromUser($_POST['status_token']);
$channel_name = Request::encodeStringFromUser($_POST['new_preferred_channel']);
$email = Request::encodeStringFromUser($_POST['new_email']);
$sync_consent = isset($_POST['sync_consent']);
if(!preg_match("/@[A-Za-z0-9_-]+$/", $channel_name)){
$channel_name = "@" . $channel_name;
}

2
view/template/acquisition/youtube_token.php
View file

@ -1,5 +1,5 @@
<?php
$desired_lbry_channel_name = $_POST['desired_lbry_channel_name'];
$desired_lbry_channel_name = Request::encodeStringFromUser($_POST['desired_lbry_channel_name']);
if(!preg_match("/@[A-Za-z0-9_-]+$/", $desired_lbry_channel_name)){
$desired_lbry_channel_name = "@" . $desired_lbry_channel_name;