Skip to content

Commit

Permalink
Using htmlentities and rawurlencode on every output string
Browse files Browse the repository at this point in the history 
Signed-off-by: RD WebDesign <github@rdwebdesign.com.br>
  • Loading branch information
@rdwebdesign
rdwebdesign committed Sep 21, 2022
1 parent 2d346a1 commit 6e51ac3
Showing 1 changed file with 8 additions and 11 deletions.
19 changes: 8 additions & 11 deletions scripts/pi-hole/php/update_checker.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,6 @@ function checkUpdate($currentVersion, $latestVersion)
} else {
$versions = parse_ini_file($versionsfile);

// Allow only valid characters
$versions = preg_replace('/[^[:alnum:]._:\/-]/i', '', $versions);

// Get Pi-hole core branch / version / commit
// Check if on a dev branch
$core_branch = $versions['CORE_BRANCH'];
Expand Down Expand Up @@ -108,28 +105,28 @@ function checkUpdate($currentVersion, $latestVersion)
$ftlUrl = 'https://github.com/pi-hole/FTL/releases';
$dockerUrl = 'https://github.com/pi-hole/docker-pi-hole/releases';

// Version strings
// Version strings (encoded to avoid code execution)
// If "vDev" show branch/commit, else show link
if (isset($core_commit)) {
$coreVersionStr = $core_current.' ('.$core_branch.', '.$core_commit.')';
$coreVersionStr = htmlentities($core_current.' ('.$core_branch.', '.$core_commit.')');
} else {
$coreVersionStr = '<a href="'.$coreUrl.'/'.$core_current.'" rel="noopener" target="_blank">'.$core_current.'</a>';
$coreVersionStr = '<a href="'.$coreUrl.'/'.rawurlencode($core_current).'" rel="noopener" target="_blank">'.htmlentities($core_current).'</a>';
}

if (isset($web_commit)) {
$webVersionStr = $web_current.' ('.$web_branch.', '.$web_commit.')';
$webVersionStr = htmlentities($web_current.' ('.$web_branch.', '.$web_commit.')');
} else {
$webVersionStr = '<a href="'.$webUrl.'/'.$web_current.'" rel="noopener" target="_blank">'.$web_current.'</a>';
$webVersionStr = '<a href="'.$webUrl.'/'.rawurlencode($web_current).'" rel="noopener" target="_blank">'.htmlentities($web_current).'</a>';
}

if (isset($FTL_commit)) {
$ftlVersionStr = $FTL_current.' ('.$FTL_branch.', '.$FTL_commit.')';
$ftlVersionStr = htmlentities($FTL_current.' ('.$FTL_branch.', '.$FTL_commit.')');
} else {
$ftlVersionStr = '<a href="'.$ftlUrl.'/'.$FTL_current.'" rel="noopener" target="_blank">'.$FTL_current.'</a>';
$ftlVersionStr = '<a href="'.$ftlUrl.'/'.rawurlencode($FTL_current).'" rel="noopener" target="_blank">'.htmlentities($FTL_current).'</a>';
}

if ($docker_current) {
$dockerVersionStr = '<a href="'.$dockerUrl.'/'.$docker_current.'" rel="noopener" target="_blank">'.$docker_current.'</a>';
$dockerVersionStr = '<a href="'.$dockerUrl.'/'.rawurlencode($docker_current).'" rel="noopener" target="_blank">'.htmlentities($docker_current).'</a>';
} else {
$dockerVersionStr = '';
}

0 comments on commit 6e51ac3

Please sign in to comment.