Fix CVE-2023-36995

GameEngine/Admin/database.php

@@ -82,6 +82,7 @@ class adm_DB {
 	        $bcrypted = false;
 	    }
 
+		$username = htmlspecialchars($username);
 	    if($pwOk) {
 	        // update password to bcrypt, if correct
 	        if (!$dbarray['is_bcrypt'] && !$bcrypted) {

GameEngine/Database.php

@@ -3109,6 +3109,8 @@ class MYSQLi_DB implements IDbConnection {
 	*****************************************/
 	function createAlliance($tag, $name, $uid, $max) {
 	    list($tag, $name, $uid, $max) = $this->escape_input($tag, $name, (int) $uid, (int) $max);
+        $tag = $this->RemoveXSS($tag);
+        $name = $this->RemoveXSS($name);
 
 	    $q = "INSERT into " . TB_PREFIX . "alidata values (0,'$name','$tag',$uid,0,0,0,'','',$max,0,0,0,0,0,0,0,0,0)";
 		mysqli_query($this->dblink,$q);

GameEngine/Ranking.php

@@ -163,7 +163,7 @@
 			private function getStart($search) {
 				$multiplier = 1;
 				if(!is_numeric($search)) {
-					$_SESSION['search'] = $search;
+					$_SESSION['search'] = htmlspecialchars($search);
 				} else {
 					if($search > count($this->rankarray)) {
 						$search = count($this->rankarray) - 1;
@@ -172,8 +172,8 @@
 						$multiplier += 1;
 					}
 					$start = 20 * $multiplier - 19 - 1;
-					$_SESSION['search'] = $search;
-					$_SESSION['start'] = $start;
+					$_SESSION['search'] = htmlspecialchars($search);
+					$_SESSION['start'] = htmlspecialchars($start);
 				}
 			}
 

Templates/Profile/preference.tpl

@@ -36,12 +36,12 @@ if($_POST) {
         
         if(substr($key, 0, 8) == 'linkname') {
             $i = substr($key, 8);
-            $links[$i]['linkname'] = mysqli_real_escape_string($database->dblink, $value);
+            $links[$i]['linkname'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value));
         }
         
         if(substr($key, 0, 8) == 'linkziel') {
             $i = substr($key, 8);
-            $links[$i]['linkziel'] = mysqli_real_escape_string($database->dblink, $value);
+            $links[$i]['linkziel'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value));
         }
     }
     

login.php

@@ -186,7 +186,7 @@ Element.implement({
 	<tbody>
 		<tr class="top">
 			<th><?php echo NAME; ?></th>
-			<td><input class="text" type="text" name="user" value="<?php echo stripslashes(stripslashes(stripslashes($form->getDiff("user",$_COOKIE['COOKUSR'])))); ?>" maxlength="30" autocomplete='off' /> <span class="error"> <?php echo $form->getError("user"); ?></span></td>
+			<td><input class="text" type="text" name="user" value="<?php echo htmlspecialchars($form->getDiff("user",$_COOKIE['COOKUSR'])); ?>" maxlength="30" autocomplete='off' /> <span class="error"> <?php echo $form->getError("user"); ?></span></td>
 		</tr>
 		<tr class="btm">
 			<th><?php echo PASSWORD; ?></th>