Fix #78 - run data through htmlspecialchars so we don't crash when there are quotes in the name

This commit is contained in:
Vojtěch Sajdl 2019-03-15 12:22:16 +01:00
parent 2b54aa9d46
commit 7294b356dd
2 changed files with 17 additions and 17 deletions

View File

@ -2,7 +2,7 @@
//This is config file, please be careful //This is config file, please be careful
session_start(); session_start();
//You can change these: //You can change these:
define("NAME", '##name##'); //Website name define("NAME", "##name##"); //Website name
define("TITLE", "##title##"); define("TITLE", "##title##");
define("WEB_URL", "##url##"); //Used for links define("WEB_URL", "##url##"); //Used for links
define("MAILER_NAME", "##mailer##"); //Mailer name define("MAILER_NAME", "##mailer##"); //Mailer name

View File

@ -113,22 +113,22 @@ if(isset($_POST['server']) && empty($message))
{ {
//Create config //Create config
$config = file_get_contents("config.php.template"); $config = file_get_contents("config.php.template");
$config = str_replace("##name##", $_POST['servername'], $config); $config = str_replace("##name##", htmlspecialchars($_POST['servername'], ENT_QUOTES), $config);
$config = str_replace("##title##", $_POST['title'], $config); $config = str_replace("##title##", htmlspecialchars($_POST['title'], ENT_QUOTES), $config);
$config = str_replace("##url##", $_POST['url'], $config); $config = str_replace("##url##", urlencode($_POST['url']), $config);
$config = str_replace("##mailer##", $_POST['mailer'], $config); $config = str_replace("##mailer##", htmlspecialchars($_POST['mailer'], ENT_QUOTES), $config);
$config = str_replace("##mailer_email##", $_POST['mailer_email'], $config); $config = str_replace("##mailer_email##", htmlspecialchars($_POST['mailer_email'], ENT_QUOTES), $config);
$config = str_replace("##server##", $_POST['server'], $config); $config = str_replace("##server##", htmlspecialchars($_POST['server'], ENT_QUOTES), $config);
$config = str_replace("##database##", $_POST['database'], $config); $config = str_replace("##database##", htmlspecialchars($_POST['database'], ENT_QUOTES), $config);
$config = str_replace("##user##", $_POST['dbuser'], $config); $config = str_replace("##user##", htmlspecialchars($_POST['dbuser'], ENT_QUOTES), $config);
$config = str_replace("##password##", $_POST['dbpassword'], $config); $config = str_replace("##password##", htmlspecialchars($_POST['dbpassword'], ENT_QUOTES), $config);
$config = str_replace("##name##", $_POST['servername'], $config); $config = str_replace("##name##", htmlspecialchars($_POST['servername'], ENT_QUOTES), $config);
$config = str_replace("##policy_name##", $_POST['policy_name'], $config); $config = str_replace("##policy_name##", htmlspecialchars($_POST['policy_name'], ENT_QUOTES), $config);
$config = str_replace("##address##", $_POST['address'], $config); $config = str_replace("##address##", htmlspecialchars($_POST['address'], ENT_QUOTES), $config);
$config = str_replace("##policy_mail##", $_POST['policy_mail'], $config); $config = str_replace("##policy_mail##", htmlspecialchars($_POST['policy_mail'], ENT_QUOTES), $config);
$config = str_replace("##policy_phone##", $_POST['policy_phone'],$config); $config = str_replace("##policy_phone##", htmlspecialchars($_POST['policy_phone'], ENT_QUOTES),$config);
$config = str_replace("##who_we_are##", $_POST['who_we_are'], $config); $config = str_replace("##who_we_are##", htmlspecialchars($_POST['who_we_are'], ENT_QUOTES), $config);
$policy_url_conf = ( ! empty($_POST['policy_url']) ) ? $_POST['policy_url'] : POLICY_URL; $policy_url_conf = ( ! empty($_POST['policy_url']) ) ? htmlspecialchars($_POST['policy_url'], ENT_QUOTES) : urlencode($_POST['url'])."/policy.php";
$config = str_replace("##policy_url##", $policy_url_conf, $config); $config = str_replace("##policy_url##", $policy_url_conf, $config);
file_put_contents("config.php", $config); file_put_contents("config.php", $config);