From ec1cf1d303598679536ec0934190e0d63731c4e6 Mon Sep 17 00:00:00 2001
From: danpros <dan@danpros.com>
Date: Wed, 6 May 2020 13:06:59 +0700
Subject: [PATCH] CVE-2019-8349 XSS vulnerabilities fix

---
 config/config.ini                           | 147 ----------------------------
 config/config.ini.example                   |   4 +-
 config/users/kanti.ini                      |   9 --
 system/admin/admin.php                      |   2 +-
 system/admin/views/backup.html.php          |   2 +-
 system/admin/views/delete-category.html.php |   2 +-
 system/admin/views/delete-page.html.php     |   2 +-
 system/admin/views/delete-post.html.php     |   2 +-
 system/admin/views/edit-content.html.php    |   2 +-
 system/admin/views/edit-page.html.php       |   2 +-
 system/admin/views/popular-posts.html.php   |   2 +-
 system/admin/views/posts-list.html.php      |   2 +-
 system/admin/views/user-draft.html.php      |   2 +-
 system/admin/views/user-posts.html.php      |   2 +-
 system/htmly.php                            |  24 ++---
 system/includes/functions.php               |   9 +-
 themes/blog/layout.html.php                 |   2 +-
 themes/twentyfifteen/layout.html.php        |   2 +-
 themes/twentysixteen/layout.html.php        |   2 +-
 19 files changed, 31 insertions(+), 190 deletions(-)
 delete mode 100644 config/config.ini
 delete mode 100644 config/users/kanti.ini

diff --git a/config/config.ini b/config/config.ini
deleted file mode 100644
index 2e5ac0a..0000000
--- a/config/config.ini
+++ /dev/null
@@ -1,147 +0,0 @@
-; The URL of your blog. Include the http or https if you are using Facebook or Disqus comment. 
-site.url = ""
-
-; Your timezone
-timezone = "Asia/Jakarta"
-
-; Your language ("en" for English, "de" for German, "pl" for Polish)
-language = "en"
-
-; Blog info
-blog.title = "HTMLy"
-blog.tagline = "Just another HTMLy blog"
-blog.description = "Proudly powered by HTMLy, a databaseless blogging platform."
-blog.copyright = "(c) Your name."
-
-; Set permalink type. "default" using /year/month/title. "post" using /post/title
-permalink.type = "default"
-
-; Make the frontpage static. Options "false" and "true"
-static.frontpage = "false"
-
-; Show the /blog url as the blog homepage. Options "false" and "true"
-blog.enable = "false"
-
-; Social account
-social.twitter = "https://twitter.com"
-social.facebook = "https://www.facebook.com"
-social.google = "https://plus.google.com"
-social.tumblr = "http://www.tumblr.com"
-
-; Custom menu link. 
-; See example below:
-; "Google->http://www.google.com|Wikipedia->http://www.wikipedia.org". 
-blog.menu = ""
-
-; Breadcrumb home text. Useful when installed on subfolder.
-breadcrumb.home = "Home"
-
-; Comment system. Choose "facebook", "disqus", or "disable".
-comment.system = "disable"
-
-; Facebook comments
-fb.appid = ""
-fb.num = "5"
-fb.color = "light"
-
-; Disqus comments
-disqus.shortname = ""
-
-; Google Web Master Tool ID verification
-google.wmt.id = ""
-
-; Google+ publisher
-google.publisher = ""
-
-; Google analytics
-google.analytics.id = ""
-
-; Google reCaptcha
-; https://www.google.com/recaptcha/admin. Options "false" and "true"
-
-google.reCaptcha = "false"
-google.reCaptcha.public = ""
-google.reCaptcha.private = ""
-
-; Pagination, RSS, and JSON
-posts.perpage = "10"
-category.perpage = "10"
-tag.perpage = "10"
-archive.perpage = "10"
-search.perpage = "10"
-profile.perpage = "10"
-type.perpage = "10"
-json.count = "10"
-
-; Category info
-category.info = "true"
-
-; Related posts
-related.count = "3"
-
-; Recent posts
-recent.count = "5"
-
-; Popular posts
-popular.count = "5"
-
-; Author info on blog post. Set "true" or "false".
-author.info = "true"
-
-; Teaser type: set "trimmed" or "full".
-teaser.type = "full"
-
-; Read more link text for "full" teaser type
-read.more = "Read more"
-
-; Teaser character count
-teaser.char = "200"
-
-; Description character count
-description.char = "150"
-
-; RSS feed count
-rss.count = "10"
-
-; RSS feed description length. If left empty we will use full page.
-rss.char = "200"
-
-; Enable image thumbnail on teaser, the options is "true" and "false". If set to "true", you can specify the default thumbnail also.
-img.thumbnail = "false"
-default.thumbnail = ""
-
-; Enable views Counter, the options is "true" and "false". If set to "true", you can see the Counts in Admin page and popular posts.
-views.counter = "false"
-
-; Sitemap priorities between "0.0" and "1.0". Set "false" to disable a sitemap for the given type. (See /sitemap.xml)
-sitemap.priority.base = "1.0"
-sitemap.priority.post = "0.5"
-sitemap.priority.static = "0.5"
-sitemap.priority.category = "0.5"
-sitemap.priority.tag = "0.5"
-sitemap.priority.archiveDay = "0.5"
-sitemap.priority.archiveMonth = "0.5"
-sitemap.priority.archiveYear = "0.5"
-sitemap.priority.author = "0.5"
-sitemap.priority.type = "0.5"
-
-; Also install pre-release
-prerelease = "false"
-
-; Cache expiration in hour. Eg. "6", "12". Default 6 hours.
-cache.expiration = "6"
-
-; Switch on and off the file cache for development purposes. Options "false" and "true"
-cache.off = "false"
-
-; Switch on and off the page generation time. Options "false" and "true"
-generation.time = "false"
-
-; Switch on and off the cache timestamp. Options "false" and "true"
-cache.timestamp = "false"
-
-; Set the theme here
-views.root = "themes/twentysixteen"
-
-; Framework config. No need to edit.
-views.layout = "layout"
diff --git a/config/config.ini.example b/config/config.ini.example
index e179170..0161ec6 100644
--- a/config/config.ini.example
+++ b/config/config.ini.example
@@ -4,6 +4,9 @@ site.url = ""
 ; Your timezone
 timezone = "Asia/Jakarta"
 
+; Time format. See: https://www.php.net/manual/en/function.date.php
+time.format = "d F Y"
+
 ; Your language (currently only "en" for English or "de" for German)
 language = "en"
 
@@ -25,7 +28,6 @@ blog.enable = "false"
 ; Social account
 social.twitter = "https://twitter.com"
 social.facebook = "https://www.facebook.com"
-social.google = "https://plus.google.com"
 social.tumblr = "http://www.tumblr.com"
 
 ; Custom menu link. 
diff --git a/config/users/kanti.ini b/config/users/kanti.ini
deleted file mode 100644
index ace040f..0000000
--- a/config/users/kanti.ini
+++ /dev/null
@@ -1,9 +0,0 @@
-;Password
-password = yourpassword
-encryption = clear
-; encryption: not set, leave blank or set to clear or none to use plain text password for the user,
-; else set to encryption algoritm supported by hash function of php to use the selected
-; encryption
-
-;Role
-role = admin
diff --git a/system/admin/admin.php b/system/admin/admin.php
index 5378543..8afcb56 100644
--- a/system/admin/admin.php
+++ b/system/admin/admin.php
@@ -695,7 +695,7 @@ function get_user_posts()
                 $i++;
                 echo '<tr class="' . $class . '">';
                 echo '<td><a target="_blank" href="' . $p->url . '">' . $p->title . '</a></td>';
-                echo '<td>' . date('d F Y', $p->date) . '</td>';
+                echo '<td>' . format_date($p->date) . '</td>';
                 if (config("views.counter") == "true")
                     echo '<td>' . $p->views . '</td>';
                 echo '<td>' . $p->tag . '</td>';
diff --git a/system/admin/views/backup.html.php b/system/admin/views/backup.html.php
index 0d2f001..bf4d4d4 100644
--- a/system/admin/views/backup.html.php
+++ b/system/admin/views/backup.html.php
@@ -1,7 +1,7 @@
 <?php
 if (login()) {
     if (isset($_GET['file'])) {
-        $file = $_GET['file'];
+        $file = _h($_GET['file']);
 
         if (!empty($file)) {
             unlink($file);
diff --git a/system/admin/views/delete-category.html.php b/system/admin/views/delete-category.html.php
index ca4305b..b109908 100644
--- a/system/admin/views/delete-category.html.php
+++ b/system/admin/views/delete-category.html.php
@@ -1,6 +1,6 @@
 <?php
 if (isset($_GET['destination'])) {
-    $destination = $_GET['destination'];
+    $destination = _h($_GET['destination']);
 }
 $url = $p->file;
 
diff --git a/system/admin/views/delete-page.html.php b/system/admin/views/delete-page.html.php
index ca4305b..b109908 100644
--- a/system/admin/views/delete-page.html.php
+++ b/system/admin/views/delete-page.html.php
@@ -1,6 +1,6 @@
 <?php
 if (isset($_GET['destination'])) {
-    $destination = $_GET['destination'];
+    $destination = _h($_GET['destination']);
 }
 $url = $p->file;
 
diff --git a/system/admin/views/delete-post.html.php b/system/admin/views/delete-post.html.php
index be502d4..11507c0 100644
--- a/system/admin/views/delete-post.html.php
+++ b/system/admin/views/delete-post.html.php
@@ -1,6 +1,6 @@
 <?php
 if (isset($_GET['destination'])) {
-    $destination = $_GET['destination'];
+    $destination = _h($_GET['destination']);
 }
 $url = $p->file;
 $oldurl = explode('_', $url);
diff --git a/system/admin/views/edit-content.html.php b/system/admin/views/edit-content.html.php
index 201bc6a..39ee212 100644
--- a/system/admin/views/edit-content.html.php
+++ b/system/admin/views/edit-content.html.php
@@ -30,7 +30,7 @@ if (empty($oldtag)) {
 $oldmd = str_replace('.md', '', $oldurl[2]);
 
 if (isset($_GET['destination'])) {
-    $destination = $_GET['destination'];
+    $destination = _h($_GET['destination']);
 } else {
     $destination = 'admin';
 }
diff --git a/system/admin/views/edit-page.html.php b/system/admin/views/edit-page.html.php
index 68359a8..fde8ca1 100644
--- a/system/admin/views/edit-page.html.php
+++ b/system/admin/views/edit-page.html.php
@@ -41,7 +41,7 @@ if ($type == 'is_frontpage') {
 	$oldcontent = remove_html_comments($content);
 
 	if (isset($_GET['destination'])) {
-		$destination = $_GET['destination'];
+		$destination = _h($_GET['destination']);
 	} else {
 		$destination = 'admin';
 	}
diff --git a/system/admin/views/popular-posts.html.php b/system/admin/views/popular-posts.html.php
index 1206aa1..1265928 100644
--- a/system/admin/views/popular-posts.html.php
+++ b/system/admin/views/popular-posts.html.php
@@ -24,7 +24,7 @@
             ?>
             <tr class="<?php echo $class ?>">
                 <td><a target="_blank" href="<?php echo $p->url ?>"><?php echo $p->title ?></a></td>
-                <td><?php echo date('d F Y', $p->date) ?></td>
+                <td><?php echo format_date($p->date) ?></td>
                 <?php if (config("views.counter") == "true"): ?>
                     <td><?php echo $p->views ?></td><?php endif; ?>
                 <td><a target="_blank" href="<?php echo $p->authorUrl ?>"><?php echo $p->author ?></a></td>
diff --git a/system/admin/views/posts-list.html.php b/system/admin/views/posts-list.html.php
index 71ffcdc..52f6cd4 100644
--- a/system/admin/views/posts-list.html.php
+++ b/system/admin/views/posts-list.html.php
@@ -24,7 +24,7 @@
             ?>
             <tr class="<?php echo $class ?>">
                 <td><a target="_blank" href="<?php echo $p->url ?>"><?php echo $p->title ?></a></td>
-                <td><?php echo date('d F Y', $p->date) ?></td>
+                <td><?php echo format_date($p->date) ?></td>
                 <?php if (config("views.counter") == "true"): ?>
                     <td><?php echo $p->views ?></td><?php endif; ?>
                 <td><a target="_blank" href="<?php echo $p->authorUrl ?>"><?php echo $p->author ?></a></td>
diff --git a/system/admin/views/user-draft.html.php b/system/admin/views/user-draft.html.php
index c91eadc..e24d2b5 100644
--- a/system/admin/views/user-draft.html.php
+++ b/system/admin/views/user-draft.html.php
@@ -22,7 +22,7 @@
             ?>
             <tr class="<?php echo $class ?>">
                 <td><?php echo $p->title ?></td>
-                <td><?php echo date('d F Y', $p->date) ?></td>
+                <td><?php echo format_date($p->date) ?></td>
                 <td><?php echo strip_tags($p->tag) ?></td>
                 <td><a href="<?php echo $p->url ?>/edit?destination=admin/draft"><?php echo i18n('Edit');?></a> <a href="<?php echo $p->url ?>/delete?destination=admin/draft"><?php echo i18n('Delete');?></a></td>
             </tr>
diff --git a/system/admin/views/user-posts.html.php b/system/admin/views/user-posts.html.php
index f386397..7a0a2d3 100644
--- a/system/admin/views/user-posts.html.php
+++ b/system/admin/views/user-posts.html.php
@@ -25,7 +25,7 @@
             ?>
             <tr class="<?php echo $class ?>">
                 <td><a target="_blank" href="<?php echo $p->url ?>"><?php echo $p->title ?></a></td>
-                <td><?php echo date('d F Y', $p->date) ?></td>
+                <td><?php echo format_date($p->date) ?></td>
                 <?php if (config("views.counter") == "true"): ?>
                     <td><?php echo $p->views ?></td>
                 <?php endif; ?>
diff --git a/system/htmly.php b/system/htmly.php
index 33d21f8..764b7a7 100644
--- a/system/htmly.php
+++ b/system/htmly.php
@@ -17,7 +17,7 @@ if (config('timezone')) {
 get('/index', function () {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -186,7 +186,7 @@ post('/login', function () {
 get('/author/:name', function ($name) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -397,7 +397,7 @@ get('/front/edit', function () {
 // Show the "Add content" page
 get('/add/content', function () {
 
-    $req = $_GET['type'];
+    $req = _h($_GET['type']);
     
     $type = 'is_' . $req;
 
@@ -1401,7 +1401,7 @@ get('/admin/categories', function () {
 get('/category/:category', function ($category) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -1597,7 +1597,7 @@ post('/category/:category/delete', function () {
 get('/type/:type', function ($type) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -1666,7 +1666,7 @@ get('/type/:type', function ($type) {
 get('/tag/:tag', function ($tag) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -1731,7 +1731,7 @@ get('/tag/:tag', function ($tag) {
 get('/archive/:req', function ($req) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -1806,7 +1806,7 @@ get('/archive/:req', function ($req) {
 get('/search/:keyword', function ($keyword) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -1904,7 +1904,7 @@ get('/feed/opml', function () {
 get('/post/:name', function ($name) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -2288,7 +2288,7 @@ post('/post/:name/delete', function () {
 get('/:static', function ($static) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -2683,7 +2683,7 @@ post('/:static/delete', function () {
 get('/:static/:sub', function ($static, $sub) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -2890,7 +2890,7 @@ post('/:static/:sub/delete', function () {
 get('/:year/:month/:name', function ($year, $month, $name) {
 
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
diff --git a/system/includes/functions.php b/system/includes/functions.php
index ae67524..45f2e0f 100644
--- a/system/includes/functions.php
+++ b/system/includes/functions.php
@@ -1816,7 +1816,6 @@ function social($imgDir = null)
 {
     $twitter = config('social.twitter');
     $facebook = config('social.facebook');
-    $google = config('social.google');
     $tumblr = config('social.tumblr');
     $rss = site_url() . 'feed/rss';
 
@@ -1832,10 +1831,6 @@ function social($imgDir = null)
         echo '<a href="' . $facebook . '" target="_blank"><img src="' . site_url() . 'themes/' . $imgDir . 'facebook.png" width="32" height="32" alt="Facebook"/></a>';
     }
 
-    if (!empty($google)) {
-        echo '<a href="' . $google . '" target="_blank"><img src="' . site_url() . 'themes/' . $imgDir . 'googleplus.png" width="32" height="32" alt="Google+"/></a>';
-    }
-
     if (!empty($tumblr)) {
         echo '<a href="' . $tumblr . '" target="_blank"><img src="' . site_url() . 'themes/' . $imgDir . 'tumblr.png" width="32" height="32" alt="Tumblr"/></a>';
     }
@@ -2164,7 +2159,7 @@ EOF;
 EOF;
     }
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
@@ -3212,7 +3207,7 @@ function get_language()
 	
     $langID = config('language');
     $langFile = 'lang/'. $langID . '.ini';
-    $local = strtolower($langID);
+    $local = $langID;
 
     // Settings for the language
     if (!isset($langID) || config('language') === 'en') {
diff --git a/themes/blog/layout.html.php b/themes/blog/layout.html.php
index c9f6232..cd9f1ef 100644
--- a/themes/blog/layout.html.php
+++ b/themes/blog/layout.html.php
@@ -26,7 +26,7 @@
 </head> 
 <?php     
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
diff --git a/themes/twentyfifteen/layout.html.php b/themes/twentyfifteen/layout.html.php
index 4960f6c..98125e5 100644
--- a/themes/twentyfifteen/layout.html.php
+++ b/themes/twentyfifteen/layout.html.php
@@ -19,7 +19,7 @@
 </head>
 <?php     
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }
diff --git a/themes/twentysixteen/layout.html.php b/themes/twentysixteen/layout.html.php
index fd438ad..aa46009 100644
--- a/themes/twentysixteen/layout.html.php
+++ b/themes/twentysixteen/layout.html.php
@@ -21,7 +21,7 @@
 </head>
 <?php     
     if (isset($_GET['search'])) {
-        $search = $_GET['search'];
+        $search = _h($_GET['search']);
         $url = site_url() . 'search/' . remove_accent($search);
         header("Location: $url");
     }