From 665ad9aa836f874b3edc59d5ef5835f0978a5e0a Mon Sep 17 00:00:00 2001
From: danpros <dan@danpros.com>
Date: Sun, 21 Feb 2021 12:15:47 +0700
Subject: [PATCH] Make sure to return htmlspecialchars

---
 system/admin/views/config-custom.html.php   | 18 +-----------------
 system/admin/views/config-metatags.html.php |  2 +-
 system/admin/views/config-widget.html.php   | 14 +++++++-------
 system/admin/views/config.html.php          | 10 +++++-----
 system/includes/functions.php               | 15 +++++++++++++++
 5 files changed, 29 insertions(+), 30 deletions(-)

diff --git a/system/admin/views/config-custom.html.php b/system/admin/views/config-custom.html.php
index 293d34d..8bf8512 100644
--- a/system/admin/views/config-custom.html.php
+++ b/system/admin/views/config-custom.html.php
@@ -23,26 +23,10 @@
         </tr>
         <?php
         global $config_file;
-        $array = array(
-            "google.wmt" => "hallo",
-        );
+        $array = array();
         if (file_exists($config_file)) {
             $array = parse_ini_file($config_file, true);
         }
-        function valueMaker($value)
-        {
-            if (is_string($value))
-                return htmlspecialchars($value);
-
-            if ($value === true)
-                return "true";
-            if ($value === false)
-                return "false";
-
-            if ($value == false)
-                return "0";
-            return (string)$value;
-        }
         $configList = json_decode(file_get_contents('content/data/configList.json', true));
         foreach ($array as $key => $value) {
             if (!in_array($key, $configList)) {
diff --git a/system/admin/views/config-metatags.html.php b/system/admin/views/config-metatags.html.php
index 1cbe8e8..5b14976 100644
--- a/system/admin/views/config-metatags.html.php
+++ b/system/admin/views/config-metatags.html.php
@@ -1,4 +1,4 @@
-<?php 
+<?php
 global $config_file;
 $array = array();
 if (file_exists($config_file)) {
diff --git a/system/admin/views/config-widget.html.php b/system/admin/views/config-widget.html.php
index 73b79e3..bf7afeb 100644
--- a/system/admin/views/config-widget.html.php
+++ b/system/admin/views/config-widget.html.php
@@ -82,13 +82,13 @@
   <div class="form-group row">
     <label for="disqus.shortname" class="col-sm-2 col-form-label">Disqus shortname</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-disqus.shortname" class="form-control" id="disqus.shortname" value="<?php echo config('disqus.shortname');?>" placeholder="htmly">
+      <input type="text" name="-config-disqus.shortname" class="form-control" id="disqus.shortname" value="<?php echo valueMaker(config('disqus.shortname'));?>" placeholder="htmly">
     </div>
   </div>
   <div class="form-group row">
     <label for="fb.appid" class="col-sm-2 col-form-label">Facebook App ID</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-fb.appid" class="form-control" id="fb.appid" value="<?php echo config('fb.appid');?>" placeholder="12345abcde">
+      <input type="text" name="-config-fb.appid" class="form-control" id="fb.appid" value="<?php echo valueMaker(config('fb.appid'));?>" placeholder="12345abcde">
     </div>
   </div>
   <br>
@@ -117,13 +117,13 @@
   <div class="form-group row">
     <label for="google.reCaptcha.public" class="col-sm-2 col-form-label">Site Key</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-google.reCaptcha.public" class="form-control" id="google.reCaptcha.public" value="<?php echo config('google.reCaptcha.public');?>" placeholder="12345abcde">
+      <input type="text" name="-config-google.reCaptcha.public" class="form-control" id="google.reCaptcha.public" value="<?php echo valueMaker(config('google.reCaptcha.public'));?>" placeholder="12345abcde">
     </div>
   </div>
   <div class="form-group row">
     <label for="google.reCaptcha.private" class="col-sm-2 col-form-label">Secret Key</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-google.reCaptcha.private" class="form-control" id="google.reCaptcha.private" value="<?php echo config('google.reCaptcha.private');?>" placeholder="12345abcde">
+      <input type="text" name="-config-google.reCaptcha.private" class="form-control" id="google.reCaptcha.private" value="<?php echo valueMaker(config('google.reCaptcha.private'));?>" placeholder="12345abcde">
     </div>
   </div>
   <br>
@@ -132,20 +132,20 @@
   <div class="form-group row">
     <label for="google.gtag.id" class="col-sm-2 col-form-label">Universal Analytics (gtag.js)</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-google.gtag.id" class="form-control" id="google.gtag.id" value="<?php echo config('google.gtag.id');?>" placeholder="12345abcde">
+      <input type="text" name="-config-google.gtag.id" class="form-control" id="google.gtag.id" value="<?php echo valueMaker(config('google.gtag.id'));?>" placeholder="12345abcde">
     </div>
   </div>
   <div class="form-group row">
     <label for="google.analytics.id" class="col-sm-2 col-form-label">Google Analytics (legacy)</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-google.analytics.id" class="form-control" id="google.analytics.id" value="<?php echo config('google.analytics.id');?>" placeholder="12345abcde">
+      <input type="text" name="-config-google.analytics.id" class="form-control" id="google.analytics.id" value="<?php echo valueMaker(config('google.analytics.id'));?>" placeholder="12345abcde">
 	  <small><em>This is legacy code. Usually new created analyics using gtag.js</em></small>
     </div>
   </div>
   <div class="form-group row">
     <label for="google.wmt.id" class="col-sm-2 col-form-label">Google Search Console</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-google.wmt.id" class="form-control" id="google.wmt.id" value="<?php echo config('google.wmt.id');?>" placeholder="12345abcde">
+      <input type="text" name="-config-google.wmt.id" class="form-control" id="google.wmt.id" value="<?php echo valueMaker(config('google.wmt.id'));?>" placeholder="12345abcde">
 	  <small><em>For google-site-verification meta</em></small>
     </div>
   </div>
diff --git a/system/admin/views/config.html.php b/system/admin/views/config.html.php
index 505d6f1..b8aae25 100644
--- a/system/admin/views/config.html.php
+++ b/system/admin/views/config.html.php
@@ -16,33 +16,33 @@
   <div class="form-group row">
     <label for="site.url" class="col-sm-2 col-form-label">Address (URL)</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-site.url" class="form-control" id="site.url" value="<?php echo config('site.url');?>" placeholder="https://www.htmly.com">
+      <input type="text" name="-config-site.url" class="form-control" id="site.url" value="<?php echo valueMaker(config('site.url'));?>" placeholder="https://www.htmly.com">
     </div>
   </div>
   <div class="form-group row">
     <label for="blog.title" class="col-sm-2 col-form-label">Blog title</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-blog.title" class="form-control" id="blog.title" value="<?php echo config('blog.title');?>" placeholder="My HTMLy Blog">
+      <input type="text" name="-config-blog.title" class="form-control" id="blog.title" value="<?php echo valueMaker(config('blog.title'));?>" placeholder="My HTMLy Blog">
     </div>
   </div>
   <div class="form-group row">
     <label for="blog.tagline" class="col-sm-2 col-form-label">Tagline</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-blog.tagline" class="form-control" id="blog.tagline" value="<?php echo config('blog.tagline');?>" placeholder="Databaseless PHP Blogging Platform">
+      <input type="text" name="-config-blog.tagline" class="form-control" id="blog.tagline" value="<?php echo valueMaker(config('blog.tagline'));?>" placeholder="Databaseless PHP Blogging Platform">
 	  <small><em>In a few words, explain what this blog is about.</em></small>
     </div>
   </div>
   <div class="form-group row">
     <label for="blog.description" class="col-sm-2 col-form-label">Description</label>
     <div class="col-sm-10">
-      <textarea id="blog.description" name="-config-blog.description" class="form-control"><?php echo config('blog.description');?></textarea>   
+      <textarea id="blog.description" name="-config-blog.description" class="form-control"><?php echo valueMaker(config('blog.description'));?></textarea>   
 	  <small><em>In one paragraph, tell us more about your blog.</em></small>
     </div>
   </div>
   <div class="form-group row">
     <label for="blog.copyright" class="col-sm-2 col-form-label">Copyright</label>
     <div class="col-sm-10">
-      <input type="text" name="-config-blog.copyright" class="form-control" id="blog.copyright" value="<?php echo config('blog.copyright');?>" placeholder="(c) Your name.">
+      <input type="text" name="-config-blog.copyright" class="form-control" id="blog.copyright" value="<?php echo valueMaker(config('blog.copyright'));?>" placeholder="(c) Your name.">
     </div>
   </div>
   <div class="form-group row">
diff --git a/system/includes/functions.php b/system/includes/functions.php
index 491205c..fe949be 100644
--- a/system/includes/functions.php
+++ b/system/includes/functions.php
@@ -3321,3 +3321,18 @@ function format_date($date)
     }
 
 }
+
+function valueMaker($value)
+{
+    if (is_string($value))
+        return htmlspecialchars($value);
+
+    if ($value === true)
+        return "true";
+    if ($value === false)
+        return "false";
+
+    if ($value == false)
+        return "0";
+    return (string)$value;
+}
\ No newline at end of file