From 23d309dc54111be2a0ffe8c07cf156f8018c2907 Mon Sep 17 00:00:00 2001
From: maximest-pierre <me@maximest-pierre.me>
Date: Thu, 22 Mar 2018 09:47:00 -0400
Subject: [PATCH] Fix xss

---
 controller/Request.class.php                   | 4 ++++
 controller/action/AcquisitionActions.class.php | 2 --
 view/template/acquisition/youtube.php          | 2 +-
 view/template/acquisition/youtube_edit.php     | 7 +++----
 view/template/acquisition/youtube_token.php    | 2 +-
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/controller/Request.class.php b/controller/Request.class.php
index 5e8fec11..5ef4804d 100644
--- a/controller/Request.class.php
+++ b/controller/Request.class.php
@@ -155,4 +155,8 @@ class Request
 
     return preg_match('/(' . join('|', $bots) . ')/i', static::getUserAgent());
   }
+  //Method that encode html tags to special character
+  public static function encodeStringFromUser($string){
+      return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
+  }
 }
diff --git a/controller/action/AcquisitionActions.class.php b/controller/action/AcquisitionActions.class.php
index 7e999f79..df4f039a 100644
--- a/controller/action/AcquisitionActions.class.php
+++ b/controller/action/AcquisitionActions.class.php
@@ -62,8 +62,6 @@ class AcquisitionActions extends Actions
 
     if ($desired_lbry_channel_name_is_valid) {
       $token = LBRY::connectYoutube($desired_lbry_channel_name);
-      var_dump($token);
-      var_dump($desired_lbry_channel_name);
       if ($token['success'] == false) {
           Controller::redirect('/youtube?error=true&error_message=' . $token['error']);
       }
diff --git a/view/template/acquisition/youtube.php b/view/template/acquisition/youtube.php
index 03c10556..f7658639 100644
--- a/view/template/acquisition/youtube.php
+++ b/view/template/acquisition/youtube.php
@@ -43,7 +43,7 @@ Response::setMetaDescription("Put your content on the blockchain, experience tru
 
     <div class="content">
       <?php
-      if (isset($_GET['error']) && $_GET['error_message']): echo "<div>" . "The following error occurred: ". $_GET['error_message']  . " For support please send an email to hello@lbry.io" . "</div>";
+      if ($error_message): echo "<div>" . "The following error occurred: ". $error_message  . " For support please send an email to hello@lbry.io" . "</div>";
       endif;?>
       <div class="zigzag"></div>
       <h1>Create on a stable platform. For real this time.</h1>
diff --git a/view/template/acquisition/youtube_edit.php b/view/template/acquisition/youtube_edit.php
index 856699ce..74e26a40 100644
--- a/view/template/acquisition/youtube_edit.php
+++ b/view/template/acquisition/youtube_edit.php
@@ -1,11 +1,10 @@
 <?php
-$status_token = $_POST['status_token'];
-$channel_name = $_POST['new_preferred_channel'];
-$email = $_POST['new_email'];
+$status_token = Request::encodeStringFromUser($_POST['status_token']);
+$channel_name = Request::encodeStringFromUser($_POST['new_preferred_channel']);
+$email = Request::encodeStringFromUser($_POST['new_email']);
 $sync_consent = isset($_POST['sync_consent']);
 
 
-
 if(!preg_match("/@[A-Za-z0-9_-]+$/", $channel_name)){
     $channel_name = "@" . $channel_name;
 }
diff --git a/view/template/acquisition/youtube_token.php b/view/template/acquisition/youtube_token.php
index 18ce0f0b..78bc9287 100644
--- a/view/template/acquisition/youtube_token.php
+++ b/view/template/acquisition/youtube_token.php
@@ -1,5 +1,5 @@
 <?php
-$desired_lbry_channel_name = $_POST['desired_lbry_channel_name'];
+$desired_lbry_channel_name = Request::encodeStringFromUser($_POST['desired_lbry_channel_name']);
 
 if(!preg_match("/@[A-Za-z0-9_-]+$/", $desired_lbry_channel_name)){
   $desired_lbry_channel_name = "@" . $desired_lbry_channel_name;