htmlspecialchars

simonLeary42 · simonLeary42 · commit 77509e24b42f · 2025-12-10T15:07:54.000-05:00
diff --git a/resources/lib/UnityHTTPD.php b/resources/lib/UnityHTTPD.php
@@ -37,6 +37,7 @@ public static function die(mixed $x = null, bool $show_user = false): never
     public static function redirect(?string $dest = null): never
     {
         $dest ??= pathJoin(CONFIG["site"]["prefix"], $_SERVER["REQUEST_URI"]);
+        $dest = htmlspecialchars($dest);
         header("Location: $dest");
         self::errorToUser("Redirect failed, click <a href='$dest'>here</a> to continue.", 302);
         self::die();
diff --git a/resources/templates/header.php b/resources/templates/header.php
@@ -150,9 +150,9 @@
                 <button onclick=\"this.parentElement.style.display='none';\">×</button>
               </div>
             ",
-            $level->value,
-            strip_tags($title),
-            strip_tags($body)
+            htmlspecialchars($level->value),
+            htmlspecialchars($title),
+            htmlspecialchars($body)
         );
     }
     UnityHTTPD::clearMessages();

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ public static function die(mixed $x = null, bool $show_user = false): never`
`37`	`37`	`public static function redirect(?string $dest = null): never`
`38`	`38`	`{`
`39`	`39`	`$dest ??= pathJoin(CONFIG["site"]["prefix"], $_SERVER["REQUEST_URI"]);`
	`40`	`+ $dest = htmlspecialchars($dest);`
`40`	`41`	`header("Location: $dest");`
`41`	`42`	`self::errorToUser("Redirect failed, click <a href='$dest'>here</a> to continue.", 302);`
`42`	`43`	`self::die();`