From d30bef0a408f7a0b4199c518bf46ccb38110c2f0 Mon Sep 17 00:00:00 2001
From: Ferywir <65760459+Ferywir@users.noreply.github.com>
Date: Tue, 9 Jun 2026 13:57:56 +0200
Subject: [PATCH] security: harden signup username validation + fix reflected
 XSS (#184) (#187)

---
 GameEngine/Account.php | 10 +++++++++-
 anmelden.php           |  8 ++++----
 login.php              |  4 ++--
 3 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/GameEngine/Account.php b/GameEngine/Account.php
index 3a6960d2..c2b33f1e 100755
--- a/GameEngine/Account.php
+++ b/GameEngine/Account.php
@@ -77,9 +77,17 @@ class Account {
     } else {
         if (strlen($_POST['name']) < USRNM_MIN_LENGTH) {
             $form->addError("name", USRNM_SHORT);
+        } elseif (strlen($_POST['name']) > (defined('USRNM_MAX_LENGTH') ? USRNM_MAX_LENGTH : 15)) {
+            // Hard upper bound on the username length (issue #184).
+            $form->addError("name", USRNM_CHAR);
         } elseif (!USRNM_SPECIAL && preg_match('/[^0-9A-Za-z]/', $_POST['name'])) {
             $form->addError("name", USRNM_CHAR);
-        } elseif (USRNM_SPECIAL && preg_match("/[:,\\. \\n\\r\\t\\s\\<\\>]+/", $_POST['name'])) {
+        } elseif (USRNM_SPECIAL && !preg_match('/^[A-Za-z0-9._-]+(?: [A-Za-z0-9._-]+)*$/D', $_POST['name'])) {
+            // SECURITY (issue #184): positive ASCII allowlist instead of the old
+            // negative filter. Allows letters, digits, . _ - and single internal
+            // spaces only (no leading/trailing/double spaces, no trailing newline).
+            // Blocks & = ' " < > ; ( ) and ALL multibyte/emoji input, which were
+            // previously accepted and led to stored XSS / display corruption.
             $form->addError("name", USRNM_CHAR);
         } elseif (strtolower($_POST['name']) === 'natars') {
             $form->addError("name", USRNM_TAKEN);
diff --git a/anmelden.php b/anmelden.php
index 2f9f0470..1a118d75 100644
--- a/anmelden.php
+++ b/anmelden.php
@@ -61,28 +61,28 @@ if(REG_OPEN == true){ ?>
 <p><?php echo BEFORE_REGISTER; ?></p>
 
 <form name="snd" method="post" action="anmelden.php">
-<input type="hidden" name="invited" value="<?php echo $invited; ?>" />
+<input type="hidden" name="invited" value="<?php echo htmlspecialchars($invited, ENT_QUOTES, 'UTF-8'); ?>" />
 <input type="hidden" name="ft" value="a1" />
 
 <table cellpadding="1" cellspacing="1" id="sign_input">
 	<tbody>
 		<tr class="top">
 			<th><?php echo NICKNAME; ?></th>
-			<td><input class="text" type="text" name="name" value="<?php echo $form->getValue('name'); ?>" maxlength="30" />
+			<td><input class="text" type="text" name="name" value="<?php echo htmlspecialchars($form->getValue('name'), ENT_QUOTES, 'UTF-8'); ?>" maxlength="30" />
 			<span class="error"><?php echo $form->getError('name'); ?></span>
 			</td>
 		</tr>
 		<tr>
 			<th><?php echo EMAIL; ?></th>
 			<td>
-				<input class="text" type="text" name="email" value="<?php echo stripslashes($form->getValue('email')); ?>" />
+				<input class="text" type="text" name="email" value="<?php echo htmlspecialchars(stripslashes($form->getValue('email')), ENT_QUOTES, 'UTF-8'); ?>" />
 				<span class="error"><?php echo $form->getError('email'); ?></span>
 				</td>
 			</tr>
 		<tr>
 			<th><?php echo PASSWORD; ?></th>
 			<td>
-				<input class="text" type="password" name="pw" value="<?php echo stripslashes($form->getValue('pw')); ?>" maxlength="100" />
+				<input class="text" type="password" name="pw" value="<?php echo htmlspecialchars(stripslashes($form->getValue('pw')), ENT_QUOTES, 'UTF-8'); ?>" maxlength="100" />
 				<span class="error"><?php echo $form->getError('pw'); ?></span>
 			</td>
 		</tr>
diff --git a/login.php b/login.php
index f65af221..4b494c93 100644
--- a/login.php
+++ b/login.php
@@ -193,7 +193,7 @@ Element.implement({
 		</tr>
 		<tr class="btm">
 			<th><?php echo PASSWORD; ?></th>
-			<td><input class="text" type="password" name="pw" value="<?php echo $form->getValue("pw");?>" maxlength="100" autocomplete='off' /> <span class="error"><?php echo $form->getError("pw"); ?></span></td>
+			<td><input class="text" type="password" name="pw" value="<?php echo htmlspecialchars($form->getValue("pw"), ENT_QUOTES, 'UTF-8');?>" maxlength="100" autocomplete='off' /> <span class="error"><?php echo $form->getError("pw"); ?></span></td>
 		</tr>
 	</tbody>
 </table>
@@ -217,7 +217,7 @@ if($form->getError("activate") != "") {
 	echo "<p class=\"error_box\">
 	<span class=\"error\">".EMAIL_NOT_VERIFIED."</span><br>
 	".EMAIL_FOLLOW."<br>
-	<a href=\"activate.php?usr=".$form->getError("activate")."\">".VERIFY_EMAIL."</a>
+	<a href=\"activate.php?usr=".urlencode($form->getError("activate"))."\">".VERIFY_EMAIL."</a>
 	</p>";
 }
 if($form->getError("vacation") != "") {

	+	getError('name'); ?>
	- + getError('email'); ?>
	- + getError('pw'); ?>
	" maxlength="100" autocomplete='off' /> getError("pw"); ?>	" maxlength="100" autocomplete='off' /> getError("pw"); ?>