fix: added missing conversion to HTML entities

thorsten · Nov 1, 2022 · 1adf42d · 1adf42d
1 parent 0f57bb0
commit 1adf42d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 24 deletions.
diff --git a/phpmyfaq/admin/stat.adminlog.php b/phpmyfaq/admin/stat.adminlog.php
@@ -7,19 +7,19 @@
  * v. 2.0. If a copy of the MPL was not distributed with this file, You can
  * obtain one at http://mozilla.org/MPL/2.0/.
  *
- * @package phpMyFAQ
- * @author Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
  * @copyright 2003-2022 phpMyFAQ Team
- * @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
- * @link https://www.phpmyfaq.de
- * @since 2003-02-23
+ * @license   http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2003-02-23
  */
 
 use phpMyFAQ\Date;
 use phpMyFAQ\Filter;
-use phpMyFAQ\Link;
 use phpMyFAQ\Logging;
 use phpMyFAQ\Pagination;
+use phpMyFAQ\Strings;
 
 if (!defined('IS_VALID_PHPMYFAQ')) {
     http_response_code(400);
@@ -114,7 +114,7 @@
         <tr>
             <td><?= $loggingId ?></td>
             <td><?= $date->format(date('Y-m-d H:i', $loggingValue['time'])) ?></td>
-            <td><?= $user->getLogin() ?></td>
+            <td><?= Strings::htmlentities($user->getLogin()) ?></td>
             <td><?= $loggingValue['ip'] ?></td>
             <td><small><?php
             $text = $loggingValue['text'];

diff --git a/phpmyfaq/src/phpMyFAQ/Logging.php b/phpmyfaq/src/phpMyFAQ/Logging.php
@@ -24,10 +24,8 @@
  */
 class Logging
 {
-    /**
-     * @var Configuration
-     */
-    private $config = null;
+    /** @var Configuration */
+    private Configuration $config;
 
     /**
      * Constructor.
@@ -44,16 +42,9 @@ public function __construct(Configuration $config)
      *
      * @return int
      */
-    public function getNumberOfEntries()
+    public function getNumberOfEntries(): int
     {
-        $query = sprintf(
-            '
-            SELECT
-                id
-            FROM
-                %sfaqadminlog',
-            Database::getTablePrefix()
-        );
+        $query = sprintf('SELECT id FROM %sfaqadminlog', Database::getTablePrefix());
 
         return $this->config->getDb()->numRows(
             $this->config->getDb()->query($query)
@@ -65,7 +56,7 @@ public function getNumberOfEntries()
      *
      * @return array
      */
-    public function getAll()
+    public function getAll(): array
     {
         $data = [];
 
@@ -80,6 +71,7 @@ public function getAll()
         );
 
         $result = $this->config->getDb()->query($query);
+
         while ($row = $this->config->getDb()->fetchObject($result)) {
             $data[$row->id] = array(
                 'time' => $row->time,
@@ -100,7 +92,7 @@ public function getAll()
      *
      * @return bool
      */
-    public function logAdmin(User $user, $logText = '')
+    public function logAdmin(User $user, string $logText = ''): bool
     {
         if ($this->config->get('main.enableAdminLog')) {
             $query = sprintf(
@@ -112,10 +104,10 @@ public function logAdmin(User $user, $logText = '')
                 (%d, %d, %d, '%s', '%s')",
                 Database::getTablePrefix(),
                 $this->config->getDb()->nextId(Database::getTablePrefix() . 'faqadminlog', 'id'),
-                $_SERVER['REQUEST_TIME'],
+                $this->config->getDb()->escape($_SERVER['REQUEST_TIME']),
                 $user->userdata->get('user_id'),
                 $this->config->getDb()->escape(nl2br($logText)),
-                $_SERVER['REMOTE_ADDR']
+                $this->config->getDb()->escape($_SERVER['REMOTE_ADDR'])
             );
 
             return $this->config->getDb()->query($query);