From b7c69d409f031970960f5d832fa4e8dd17197ed1 Mon Sep 17 00:00:00 2001
From: liushuyu <liushuyu011@gmail.com>
Date: Tue, 24 Mar 2020 00:02:37 -0600
Subject: [PATCH] lsp: fix escaping...

Fix the following escaping
* comments
* file names
---
 public/js/lsp.js             | 3 +--
 public/lsp/add_file.php      | 2 +-
 public/lsp/comment_file.php  | 2 +-
 templates/lsp/show_file.twig | 6 +++---
 4 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/public/js/lsp.js b/public/js/lsp.js
index 32f88ae0..77d7382d 100644
--- a/public/js/lsp.js
+++ b/public/js/lsp.js
@@ -109,12 +109,11 @@ function blink(item_id) {
  */
 $(document).on('change', '.btn-file :file', function () {
     var input = $(this),
-        numFiles = input.get(0).files ? input.get(0).files.length : 1,
         label = input
             .val()
             .replace(/\\/g, '/')
             .replace(/.*\//, '');
-    $('#file-selected').html(label ? label : 'No file selected');
+    $('#file-selected').text(label ? label : 'No file selected').html();
     $('#file-selected')
         .removeClass()
         .addClass(label ? 'text-primary' : 'text-danger');
diff --git a/public/lsp/add_file.php b/public/lsp/add_file.php
index c1d203a4..3a5e610a 100644
--- a/public/lsp/add_file.php
+++ b/public/lsp/add_file.php
@@ -63,7 +63,7 @@
 
 				$user_id = get_user_id(SESSION());
 				$file_id = insert_file(
-					$file_name,
+					htmlspecialchars_decode($file_name),
 					$user_id,
 					$category_id,
 					$subcategory_id,
diff --git a/public/lsp/comment_file.php b/public/lsp/comment_file.php
index ea90efc7..ba3aa2af 100644
--- a/public/lsp/comment_file.php
+++ b/public/lsp/comment_file.php
@@ -11,7 +11,7 @@
 			$error = 'Please type a message';
 		}
 	} else {
-		add_visitor_comment(GET('file'), POST('text'), SESSION());
+		add_visitor_comment(GET('file'), html_entity_decode(POST('text')), SESSION());
 		redirect($LSP_URL . '?action=show&file=' . GET('file') . '#footer');
 	}
 } else {
diff --git a/templates/lsp/show_file.twig b/templates/lsp/show_file.twig
index 13516849..28988a50 100644
--- a/templates/lsp/show_file.twig
+++ b/templates/lsp/show_file.twig
@@ -8,7 +8,7 @@
     <script defer src="https://cdnjs.cloudflare.com/ajax/libs/jQuery-linkify/2.1.9/linkify-jquery.min.js" integrity="sha256-F70q7AGz3CYOo2UIkomPSg5xAnO52dJ646kytZ7lSEQ=" crossorigin="anonymous"></script>
     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-star-rating/4.0.6/css/star-rating.min.css" />
     {% for rs in rows %}
-        {{macros.make_title([rs['category'], rs['subcategory'], rs['filename']])}}
+        {{macros.make_title([rs['category'], rs['subcategory'], rs['filename']|escape])}}
         <table class="table table-striped">
             <td><div class="overflow-hidden">
             <small>by <a href="/lsp?action=browse&user={{rs['login']}}">
@@ -77,10 +77,10 @@
                 {# Bold comments made by the original author #}
                 {% if comment['commentuser'] == comment['fileuser'] %}
                     <strong>
-                    {{comment['text']|raw}}
+                    {{comment['text']}}
                     </strong>
                 {% else %}
-                    {{comment['text']|raw}}
+                    {{comment['text']}}
                 {% endif %}
                 <small class="lsp-small">Posted by: 
                 <a href="/lsp?action=browse&amp;user={{comment['login']}}">{{comment['login']}}</a>