From 02eea950e4fd756e8d5c32e56181986d51f5ac70 Mon Sep 17 00:00:00 2001
From: slawkens <slawkens@gmail.com>
Date: Wed, 15 May 2024 22:15:36 +0200
Subject: [PATCH] Fix XSS in creatures.php, thanks to @gesior

Closes #254
---
 system/functions.php       | 2 +-
 system/pages/creatures.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/functions.php b/system/functions.php
index 338fbe2d18..79095c08d0 100644
--- a/system/functions.php
+++ b/system/functions.php
@@ -1265,7 +1265,7 @@ function error_handler($errno, $errstr) {
 }
 
 function escapeHtml($html) {
-	return htmlentities($html, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+	return htmlspecialchars($html);
 }
 
 function displayErrorBoxWithBackButton($errors, $action = null) {
diff --git a/system/pages/creatures.php b/system/pages/creatures.php
index e8916ca11c..7113f64bec 100644
--- a/system/pages/creatures.php
+++ b/system/pages/creatures.php
@@ -157,7 +157,7 @@ function sort_by_chance($a, $b)
 		echo '</td></tr>';
 		echo '</TABLE>';
 	} else {
-		echo "Monster with name <b>" . $monster_name . "</b> doesn't exist.";
+		echo "Monster with name <b>" . htmlspecialchars($monster_name) . "</b> doesn't exist.";
 	}
 
 //back button