mirrors/Havana
1
Fork 0
mirror of https://github.com/Quackster/Havana.git synced 2025-07-03 13:17:46 +00:00
Code Activity

Merge pull request #43 from michaelowens/xss-patches

Browse source 
Patch several xss vulnerabilities
This commit is contained in:
Quackster 2024-02-02 14:16:03 +10:00 committed by GitHub
commit 5a7c422baa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 28 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Havana-Web/src/main/java/org/alexdev/http/controllers/site/TagController.java
View file

@ -115,7 +115,7 @@ public class TagController {
boolean isValidTag = temporaryTag != null; boolean isValidTag = temporaryTag != null;
if (isValidTag) { if (isValidTag) {
tpl.set("tagSearchAdd", " <p id=\"tag-search-add\" class=\"clearfix\"><span style=\"float:left\">Tag yourself with:</span> <a id=\"tag-search-tag-add\" href=\"#\" class=\"new-button\" style=\"float:left\" onclick=\"TagHelper.addThisTagToMe('" + tag + "',false);return false;\"><b>" + tag + "</b><i></i></a></p>\n"); tpl.set("tagSearchAdd", tag);
} }
} }

14
tools/www-tpl/default-en/base/tag_search.tpl
View file

@ -8,12 +8,20 @@
{% else %} {% else %}
<p class="search-result-count">{{ pageId }} - {{ totalTagUsers|length }} / {{ totalCount }}</p> <p class="search-result-count">{{ pageId }} - {{ totalTagUsers|length }} / {{ totalCount }}</p>
{% endif %} {% endif %}
{{ tagSearchAdd }} {% autoescape 'html' %}
{% if tagSearchAdd != "" %}
<p id="tag-search-add" class="clearfix">
<span style="float:left">Tag yourself with:</span>
<a id="tag-search-tag-add" href="#" class="new-button" style="float:left" onclick="TagHelper.addThisTagToMe('{{ tagSearchAdd | replace({"'": "\'"}) }}',false);return false;">
<b>{{ tagSearchAdd }}</b>
<i></i>
</a>
</p>
{% endif %}
<p class="search-result-divider"></p> <p class="search-result-divider"></p>
<table border="0" cellpadding="0" cellspacing="0" width="100%" class="search-result"> <table border="0" cellpadding="0" cellspacing="0" width="100%" class="search-result">
<tbody> <tbody>
{% autoescape 'html' %}
{% set num = 0 %} {% set num = 0 %}
{% if tagList.size() > 0 %} {% if tagList.size() > 0 %}
{% for habboTag in tagList %} {% for habboTag in tagList %}
@ -61,9 +69,9 @@
</tr> </tr>
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endautoescape %}
</tbody> </tbody>
</table> </table>
{% endautoescape %}
<p class="search-result-navigation"> <p class="search-result-navigation">
{% if showFirst %} {% if showFirst %}
<a href="{{ site.sitePath }}/tag/{{ tag }}?pageNumber={{ showFirstPage }}"><<</a> <a href="{{ site.sitePath }}/tag/{{ tag }}?pageNumber={{ showFirstPage }}"><<</a>

2
tools/www-tpl/default-en/community.tpl
View file

@ -322,7 +322,9 @@ var discussionMoreDataHelper = new MoreDataHelper("discussions-toggle-more-data-
{% endif %} {% endif %}
{{ site.siteName }} created on: {{ habbo.getCreatedAt() }} {{ site.siteName }} created on: {{ habbo.getCreatedAt() }}
{% autoescape 'html' %}
<p class="motto">{{ habbo.getMotto() }}</p> <p class="motto">{{ habbo.getMotto() }}</p>
{% endautoescape %}
</div> </div>
</div> </div>
<input type="hidden" id="active-habbo-url-{{ num }}" value="{{ site.sitePath }}/home/{{ habbo.getName() }}"/> <input type="hidden" id="active-habbo-url-{{ num }}" value="{{ site.sitePath }}/home/{{ habbo.getName() }}"/>

2
tools/www-tpl/default-en/groups/discussions/opentopicsettings.tpl
View file

@ -4,7 +4,9 @@
<span class="topic-name-text" id="topic_name_text">Topic: (max 32 characters)</span> <span class="topic-name-text" id="topic_name_text">Topic: (max 32 characters)</span>
</div> </div>
<div class="topic-name-input"> <div class="topic-name-input">
{% autoescape 'html' %}
<input type="text" size="38" maxlength="32" name="topic_name" id="topic_name" onKeyUp="GroupUtils.validateGroupElements('topic_name', 32, 'myhabbo.topic.name.max.length.exceeded');" value="{{ topic.getTopicTitle() }}"/> <input type="text" size="38" maxlength="32" name="topic_name" id="topic_name" onKeyUp="GroupUtils.validateGroupElements('topic_name', 32, 'myhabbo.topic.name.max.length.exceeded');" value="{{ topic.getTopicTitle() }}"/>
{% endautoescape %}
</div> </div>
<div id="topic-name-error"></div> <div id="topic-name-error"></div>
<div id="topic_name_message_error" class="error"></div> <div id="topic_name_message_error" class="error"></div>

4
tools/www-tpl/default-en/groups/habblet/group_settings.tpl
View file

@ -9,7 +9,9 @@
<div id="group-name-area"> <div id="group-name-area">
<div id="group_name_message_error" class="error"></div> <div id="group_name_message_error" class="error"></div>
<label for="group_name" id="group_name_text">Edit group name:</label> <label for="group_name" id="group_name_text">Edit group name:</label>
{% autoescape 'html' %}
<input type="text" name="group_name" id="group_name" onKeyUp="GroupUtils.validateGroupElements('group_name', 30, 'Maximum Group name length reached');" value="{{ group.getName }}"/><br /> <input type="text" name="group_name" id="group_name" onKeyUp="GroupUtils.validateGroupElements('group_name', 30, 'Maximum Group name length reached');" value="{{ group.getName }}"/><br />
{% endautoescape %}
</div> </div>
<div id="group-url-area"> <div id="group-url-area">
@ -135,6 +137,7 @@
<ul> <ul>
<li><input type="radio" name="roomId" value="" {% if group.getRoomId() == 0 %}checked="checked" {% endif %}/><div>No room</div></li> <li><input type="radio" name="roomId" value="" {% if group.getRoomId() == 0 %}checked="checked" {% endif %}/><div>No room</div></li>
{% autoescape 'html' %}
{% set num = 0 %} {% set num = 0 %}
{% for room in rooms %} {% for room in rooms %}
{% if num % 2 == 0 %} {% if num % 2 == 0 %}
@ -152,6 +155,7 @@
</li> </li>
{% set num = num + 1 %} {% set num = num + 1 %}
{% endfor %} {% endfor %}
{% endautoescape %}
</ul> </ul>
</div> </div>
</div> </div>

2
tools/www-tpl/default-en/homes/editor/search.tpl
View file

@ -1,6 +1,7 @@
<ul> <ul>
<li>Click on link below to insert it into the document</li> <li>Click on link below to insert it into the document</li>
{% autoescape 'html' %}
{% for kvp in querySearch %} {% for kvp in querySearch %}
{% set key = kvp.getKey() %} {% set key = kvp.getKey() %}
{% set value = kvp.getValue() %} {% set value = kvp.getValue() %}
@ -9,6 +10,7 @@
value="{{ value }}" title="{{ key }}">{{ key }}</a></li> value="{{ value }}" title="{{ key }}">{{ key }}</a></li>
{% endfor %} {% endfor %}
{% endautoescape %}
</ul> </ul>

4
tools/www-tpl/default-en/homes/widget/groups_widget.tpl
View file

@ -23,12 +23,12 @@ You are not a member of any Groups</div>
<div class="groups-list-container"> <div class="groups-list-container">
<ul class="groups-list"> <ul class="groups-list">
{% autoescape 'html' %}
{% for group in groupsList %} {% for group in groupsList %}
<li title="{{ group.getName() }}" id="groups-list-{{ sticker.getId() }}-{{ group.getId() }}"> <li title="{{ group.getName() }}" id="groups-list-{{ sticker.getId() }}-{{ group.getId() }}">
<div class="groups-list-icon"><a href="{{ group.generateClickLink() }}"><img src="{{ site.sitePath }}/habbo-imaging/badge/{{ group.getBadge() }}.gif"/></a></div> <div class="groups-list-icon"><a href="{{ group.generateClickLink() }}"><img src="{{ site.sitePath }}/habbo-imaging/badge/{{ group.getBadge() }}.gif"/></a></div>
<div class="groups-list-open"></div> <div class="groups-list-open"></div>
<h4> <h4>
{% autoescape 'html' %}
<a href="{{ group.generateClickLink() }}">{{ group.getName() }}</a> <a href="{{ group.generateClickLink() }}">{{ group.getName() }}</a>
</h4> </h4>
<p> <p>
@ -47,9 +47,9 @@ You are not a member of any Groups</div>
{% endif %} {% endif %}
</p> </p>
<div class="clear"></div> <div class="clear"></div>
{% endautoescape %}
</li> </li>
{% endfor %} {% endfor %}
{% endautoescape %}
</ul></div> </ul></div>
{% endif %} {% endif %}

2
tools/www-tpl/default-en/housekeeping/dashboard.tpl
View file

@ -91,7 +91,9 @@
<td><a href="{{ site.sitePath }}/{{ site.housekeepingPath }}/users/edit?id={{ player.id }}">{{ player.name }}</a> - <a href="{{ site.sitePath }}/{{ site.housekeepingPath }}/transaction/lookup?searchQuery={{ player.getName() }}">Transactons</a></td> <td><a href="{{ site.sitePath }}/{{ site.housekeepingPath }}/users/edit?id={{ player.id }}">{{ player.name }}</a> - <a href="{{ site.sitePath }}/{{ site.housekeepingPath }}/transaction/lookup?searchQuery={{ player.getName() }}">Transactons</a></td>
<td>{{ player.email }}</td> <td>{{ player.email }}</td>
<td><img src="{{ site.sitePath }}/habbo-imaging/avatarimage?figure={{ player.figure }}&size=s"></td> <td><img src="{{ site.sitePath }}/habbo-imaging/avatarimage?figure={{ player.figure }}&size=s"></td>
{% autoescape 'html' %}
<td>{{ player.motto }}</td> <td>{{ player.motto }}</td>
{% endautoescape %}
<td>{{ player.credits }}</td> <td>{{ player.credits }}</td>
<td>{{ player.pixels }}</td> <td>{{ player.pixels }}</td>
<td>{{ player.formatLastOnline("dd-MM-yyyy HH:mm:ss") }}</td> <td>{{ player.formatLastOnline("dd-MM-yyyy HH:mm:ss") }}</td>

2
tools/www-tpl/default-en/housekeeping/users_edit.tpl
View file

@ -4,6 +4,7 @@
<h1 class="mt-4">Edit User</h1> <h1 class="mt-4">Edit User</h1>
{% include "housekeeping/base/alert.tpl" %} {% include "housekeeping/base/alert.tpl" %}
<p>Here you can edit user details.</p> <p>Here you can edit user details.</p>
{% autoescape 'html' %}
<form class="table-responsive col-md-4" method="post"> <form class="table-responsive col-md-4" method="post">
<div class="form-group"> <div class="form-group">
<label>Username:</label> <label>Username:</label>
@ -34,6 +35,7 @@
<button type="submit" class="btn btn-info">Save Details</button> <button type="submit" class="btn btn-info">Save Details</button>
</div> </div>
</form> </form>
{% endautoescape %}
</div> </div>
</div> </div>
</div> </div>