Merge pull request #930 from TheSerapher/issue-926

[SECURITY] Fixing potential XSS issues

public/include/pages/password/reset.inc.php

@@ -1,14 +1,13 @@
 <?php
 
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
-    die('Hacking attempt');
 
 // Process password reset request
 if ($user->initResetPassword($_POST['username'], $smarty)) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset');
 } else {
-  $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
+  $_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
 }
 
 // Tempalte specifics, user default template by parent page

public/templates/mobile/password/default.tpl

@@ -2,5 +2,5 @@
 <input type="hidden" name="page" value="password">
 <input type="hidden" name="action" value="reset">
   <p>If you have an email set for your account, enter your username to get your password reset</p>
-  <p><input type="text" value="{$smarty.post.username|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
+  <p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
 </form>

public/templates/mpos/account/invitations/default.tpl

@@ -1,6 +1,6 @@
 <form action="{$smarty.server.PHP_SELF}" method="POST">
-  <input type="hidden" name="page" value="{$smarty.request.page}">
+  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
-  <input type="hidden" name="action" value="{$smarty.request.action}">
+  <input type="hidden" name="action" value="{$smarty.request.action|escape}">
   <input type="hidden" name="do" value="sendInvitation">
   <article class="module width_quarter">
     <header><h3>Invitation</h3></header>

public/templates/mpos/account/transactions/default.tpl

@@ -22,22 +22,22 @@
   <header><h3>Transaction Filter</h3></header>
   <div class="module_content">
   <form action="{$smarty.server.PHP_SELF}">
-    <input type="hidden" name="page" value="{$smarty.request.page}" />
+    <input type="hidden" name="page" value="{$smarty.request.page|escape}" />
-    <input type="hidden" name="action" value="{$smarty.request.action}" />
+    <input type="hidden" name="action" value="{$smarty.request.action|escape}" />
     <table cellspacing="0" class="tablesorter">
     <tbody>
       <tr>
 {if $COUNTTRANSACTIONS / $LIMIT > 1}
         <td align="left">
   {if $smarty.request.start|default:"0" > 0}
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|escape|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
   {else}
           <i class="icon-left-open"></i>
   {/if}
         </td>
         <td align="right">
   {if $COUNTTRANSACTIONS - $smarty.request.start|default:"0" - $LIMIT > 0}
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|escape|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
   {else}
           <i class="icon-right-open"></i>
   {/if}

public/templates/mpos/account/workers/default.tpl

@@ -1,8 +1,8 @@
 <article class="module width_quarter">
   <header><h3 class="">Add New Worker</h3></header>
   <form action="{$smarty.server.PHP_SELF}" method="post">
-    <input type="hidden" name="page" value="{$smarty.request.page}">
+    <input type="hidden" name="page" value="{$smarty.request.page|escape}">
-    <input type="hidden" name="action" value="{$smarty.request.action}">
+    <input type="hidden" name="action" value="{$smarty.request.action|escape}">
     <input type="hidden" name="do" value="add">
     <div class="module_content">
       <fieldset>
@@ -26,8 +26,8 @@
 <article class="module width_3_quarter">
   <header><h3 class="">Worker Configuration</h3></header>
   <form action="{$smarty.server.PHP_SELF}" method="post">
-    <input type="hidden" name="page" value="{$smarty.request.page}">
+    <input type="hidden" name="page" value="{$smarty.request.page|escape}">
-    <input type="hidden" name="action" value="{$smarty.request.action}">
+    <input type="hidden" name="action" value="{$smarty.request.action|escape}">
     <input type="hidden" name="do" value="update">
     <table class="tablesorter" cellspacing="0">
       <thead>

public/templates/mpos/admin/news/default.tpl

@@ -1,8 +1,8 @@
 <article class="module width_full">
   <header><h3>News Posts</h3></header>
   <form method="POST" action="{$smarty.server.PHP_SELF}">
-    <input type="hidden" name="page" value="{$smarty.request.page}">
+    <input type="hidden" name="page" value="{$smarty.request.page|escape}">
-    <input type="hidden" name="action" value="{$smarty.request.action}">
+    <input type="hidden" name="action" value="{$smarty.request.action|escape}">
     <input type="hidden" name="do" value="add">
     <div class="module_content">
       <fieldset>
@@ -30,8 +30,8 @@
   <div class="module_content">{$NEWS[news].content}</div>
   <footer>
     <div class="submit_link">
-      <a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action=news_edit&id={$NEWS[news].id}'><i class="icon-wrench"></i></a>&nbsp;
+      <a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action=news_edit&id={$NEWS[news].id}'><i class="icon-wrench"></i></a>&nbsp;
-      <a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&do=delete&id={$NEWS[news].id}'><i class="icon-trash"></i></a>
+      <a href='{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=delete&id={$NEWS[news].id}'><i class="icon-trash"></i></a>
     </div>
   </footer>
 </article>

public/templates/mpos/admin/news_edit/default.tpl

@@ -1,8 +1,8 @@
 <article class="module width_full">
   <header><h3>Edit news entry #{$NEWS.id}</h3></header>
 <form method="POST" action="{$smarty.server.PHP_SELF}">
-  <input type="hidden" name="page" value="{$smarty.request.page}">
+  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
-  <input type="hidden" name="action" value="{$smarty.request.action}">
+  <input type="hidden" name="action" value="{$smarty.request.action|escape}">
   <input type="hidden" name="id" value="{$NEWS.id}">
   <input type="hidden" name="do" value="save">
   <table class="tablesorter" cellspacing="0">

public/templates/mpos/admin/reports/earnings_control.tpl

@@ -1,15 +1,15 @@
 <form action="{$smarty.server.PHP_SELF}" method="post">
-  <input type="hidden" name="page" value="{$smarty.request.page|escape}">
+  <input type="hidden" name="page" value="{$smarty.request.page|escape|escape}">
-  <input type="hidden" name="action" value="{$smarty.request.action|escape}">
+  <input type="hidden" name="action" value="{$smarty.request.action|escape|escape}">
 <article class="module width_full">
   <header><h3>Earnings Information</h3></header>
 <table class="tablesorter">
     <tbody>
         <td align="left">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($REPORTDATA) && count($REPORTDATA) > ($BLOCKLIMIT - 1)}{$REPORTDATA[$BLOCKLIMIT - 1].height}{/if}&prev=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"<i class="icon-left-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($REPORTDATA) && count($REPORTDATA) > ($BLOCKLIMIT - 1)}{$REPORTDATA[$BLOCKLIMIT - 1].height}{/if}&prev=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"<i class="icon-left-open"></i></a>
         </td>
         <td align="right">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($REPORTDATA) && count($REPORTDATA) > 0}{$REPORTDATA[0].height}{/if}&next=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"><i class="icon-right-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($REPORTDATA) && count($REPORTDATA) > 0}{$REPORTDATA[0].height}{/if}&next=1&limit={$BLOCKLIMIT}&id={$USERID}&filter={$FILTER}"><i class="icon-right-open"></i></a>
         </td>
       </tr>
     </tbody>

public/templates/mpos/admin/settings/default.tpl

@@ -1,7 +1,7 @@
 <article class="module width_full">
   <form method="POST">
-    <input type="hidden" name="page" value="{$smarty.request.page}" />
+    <input type="hidden" name="page" value="{$smarty.request.page|escape}" />
-    <input type="hidden" name="action" value="{$smarty.request.action}" />
+    <input type="hidden" name="action" value="{$smarty.request.action|escape}" />
     <input type="hidden" name="do" value="save" />
     <header>
       <h3 class="tabs_involved">Settings</h3>

public/templates/mpos/admin/transactions/default.tpl

@@ -22,22 +22,22 @@
   <header><h3>Transaction Filter</h3></header>
   <div class="module_content">
   <form action="{$smarty.server.PHP_SELF}">
-    <input type="hidden" name="page" value="{$smarty.request.page}" />
+    <input type="hidden" name="page" value="{$smarty.request.page|escape}" />
-    <input type="hidden" name="action" value="{$smarty.request.action}" />
+    <input type="hidden" name="action" value="{$smarty.request.action|escape}" />
     <table cellspacing="0" class="tablesorter">
     <tbody>
       <tr>
 {if $COUNTTRANSACTIONS / $LIMIT > 1}
         <td align="left">
   {if $smarty.request.start|default:"0" > 0}
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|default:"0" - $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-left-open"></i></a>
   {else}
           <i class="icon-left-open"></i>
   {/if}
         </td>
         <td align="right">
   {if $COUNTTRANSACTIONS - $smarty.request.start|default:"0" - $LIMIT > 0}
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&start={$smarty.request.start|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&start={$smarty.request.start|default:"0" + $LIMIT}{if $FILTERS|default:""}{$FILTERS}{/if}"><i class="icon-right-open"></i></a>
   {else}
           <i class="icon-right-open"></i>
   {/if}

public/templates/mpos/admin/user/default.tpl

@@ -3,21 +3,21 @@
       $.ajax({
        type: "POST",
        url: "{$smarty.server.PHP_SELF}",
-       data: "page={$smarty.request.page}&action={$smarty.request.action}&do=fee&account_id=" + id,
+       data: "page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=fee&account_id=" + id,
      });
     }
     function storeLock(id) {
       $.ajax({
        type: "POST",
        url: "{$smarty.server.PHP_SELF}",
-       data: "page={$smarty.request.page}&action={$smarty.request.action}&do=lock&account_id=" + id,
+       data: "page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=lock&account_id=" + id,
      });
     }
     function storeAdmin(id) {
       $.ajax({
        type: "POST",
        url: "{$smarty.server.PHP_SELF}",
-       data: "page={$smarty.request.page}&action={$smarty.request.action}&do=admin&account_id=" + id,
+       data: "page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&do=admin&account_id=" + id,
      });
     }
 </script>

public/templates/mpos/password/default.tpl

@@ -7,7 +7,7 @@
       <p>If you have an email set for your account, enter your username to get your password reset</p>
       <fieldset>
         <label>Username or E-Mail</label>
-        <input type="text" name="username" value="{$smarty.post.username|default:""}" size="22" maxlength="20" required>
+        <input type="text" name="username" value="{$smarty.post.username|escape|default:""}" size="22" maxlength="20" required>
       </fieldset>
       <div class="clear"></div>
     </div>

public/templates/mpos/statistics/blocks/block_shares_graph.tpl

@@ -40,10 +40,10 @@
     <tbody>
       <tr>
         <td align="left">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > ($BLOCKLIMIT - 1)}{$BLOCKSFOUND[$BLOCKLIMIT - 1].height}{/if}&prev=1"><i class="icon-left-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > ($BLOCKLIMIT - 1)}{$BLOCKSFOUND[$BLOCKLIMIT - 1].height}{/if}&prev=1"><i class="icon-left-open"></i></a>
         </td>
         <td align="right">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > 0}{$BLOCKSFOUND[0].height}{/if}&next=1"><i class="icon-right-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={if is_array($BLOCKSFOUND) && count($BLOCKSFOUND) > 0}{$BLOCKSFOUND[0].height}{/if}&next=1"><i class="icon-right-open"></i></a>
         </td>
       </tr>
     </tbody>

public/templates/mpos/statistics/graphs/default.tpl

@@ -8,8 +8,8 @@
     </ul>
   </header>
   <div class="tab_container">
-{include file="{$smarty.request.page}/{$smarty.request.action}/mine.tpl"}
+{include file="{$smarty.request.page|escape}/{$smarty.request.action|escape}/mine.tpl"}
-{include file="{$smarty.request.page}/{$smarty.request.action}/pool.tpl"}
+{include file="{$smarty.request.page|escape}/{$smarty.request.action|escape}/pool.tpl"}
-{include file="{$smarty.request.page}/{$smarty.request.action}/both.tpl"}
+{include file="{$smarty.request.page|escape}/{$smarty.request.action|escape}/both.tpl"}
   </div>
 </article>

public/templates/mpos/statistics/round/pplns_block_stats.tpl

@@ -4,10 +4,10 @@
     <tbody>
       <tr>
         <td align="left">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
         </td>
         <td align="right" colspan="4">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
         </td>
       </tr>
     </tbody>

public/templates/mpos/statistics/round/pplns_block_stats_small.tpl

@@ -4,10 +4,10 @@
     <tbody>
       <tr>
         <td align="left">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&prev=1"><i class="icon-left-open"></i></a>
         </td>
         <td align="right" colspan="4">
-          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page}&action={$smarty.request.action}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
+          <a href="{$smarty.server.PHP_SELF}?page={$smarty.request.page|escape}&action={$smarty.request.action|escape}&height={$BLOCKDETAILS.height}&next=1"><i class="icon-right-open"></i></a>
         </td>
       </tr>
     </tbody>