Fix XSS in creatures.php, thanks to @gesior

Closes #254
slawkens · May 15, 2024 · 02eea95 · 02eea95
1 parent 2793c41
commit 02eea95
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/system/functions.php b/system/functions.php
@@ -1265,7 +1265,7 @@ function error_handler($errno, $errstr) {
 }
 
 function escapeHtml($html) {
-	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+	return htmlspecialchars($html);
 }
 
 function displayErrorBoxWithBackButton($errors, $action = null) {

diff --git a/system/pages/creatures.php b/system/pages/creatures.php
@@ -157,7 +157,7 @@ function sort_by_chance($a, $b)
 		echo '</td></tr>';
 		echo '</TABLE>';
 	} else {
-		echo "Monster with name <b>" . $monster_name . "</b> doesn't exist.";
+		echo "Monster with name <b>" . htmlspecialchars($monster_name) . "</b> doesn't exist.";
 	}
 
 //back button