lsp: fix escaping...

Fix the following escaping * comments * file names
LMMS · Mar 24, 2020 · b7c69d4 · b7c69d4
1 parent b719b02
commit b7c69d4
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 7 deletions.
diff --git a/public/js/lsp.js b/public/js/lsp.js
@@ -109,12 +109,11 @@ function blink(item_id) {
  */
 $(document).on('change', '.btn-file :file', function () {
     var input = $(this),
-        numFiles = input.get(0).files ? input.get(0).files.length : 1,
         label = input
             .val()
             .replace(/\\/g, '/')
             .replace(/.*\//, '');
-    $('#file-selected').html(label ? label : 'No file selected');
+    $('#file-selected').text(label ? label : 'No file selected').html();
     $('#file-selected')
         .removeClass()
         .addClass(label ? 'text-primary' : 'text-danger');

diff --git a/public/lsp/add_file.php b/public/lsp/add_file.php
@@ -63,7 +63,7 @@
 
 				$user_id = get_user_id(SESSION());
 				$file_id = insert_file(
-					$file_name,
+					htmlspecialchars_decode($file_name),
 					$user_id,
 					$category_id,
 					$subcategory_id,

diff --git a/public/lsp/comment_file.php b/public/lsp/comment_file.php
@@ -11,7 +11,7 @@
 			$error = 'Please type a message';
 		}
 	} else {
-		add_visitor_comment(GET('file'), POST('text'), SESSION());
+		add_visitor_comment(GET('file'), html_entity_decode(POST('text')), SESSION());
 		redirect($LSP_URL . '?action=show&file=' . GET('file') . '#footer');
 	}
 } else {

diff --git a/templates/lsp/show_file.twig b/templates/lsp/show_file.twig
@@ -8,7 +8,7 @@
     <script defer src="https://cdnjs.cloudflare.com/ajax/libs/jQuery-linkify/2.1.9/linkify-jquery.min.js" integrity="sha256-F70q7AGz3CYOo2UIkomPSg5xAnO52dJ646kytZ7lSEQ=" crossorigin="anonymous"></script>
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-star-rating/4.0.6/css/star-rating.min.css" />
     {% for rs in rows %}
-        {{macros.make_title([rs['category'], rs['subcategory'], rs['filename']])}}
+        {{macros.make_title([rs['category'], rs['subcategory'], rs['filename']|escape])}}
         <table class="table table-striped">
             <td><div class="overflow-hidden">
             <small>by <a href="/lsp?action=browse&user={{rs['login']}}">
@@ -77,10 +77,10 @@
                 {# Bold comments made by the original author #}
                 {% if comment['commentuser'] == comment['fileuser'] %}
                     <strong>
-                    {{comment['text']|raw}}
+                    {{comment['text']}}
                     </strong>
                 {% else %}
-                    {{comment['text']|raw}}
+                    {{comment['text']}}
                 {% endif %}
                 <small class="lsp-small">Posted by: 
                 <a href="/lsp?action=browse&amp;user={{comment['login']}}">{{comment['login']}}</a>