From 01c5da322a25f3c0af92f9af3dc939cf6f1f2b1c Mon Sep 17 00:00:00 2001
From: divinity76 <divinity76@gmail.com>
Date: Mon, 26 Aug 2019 02:11:02 +0200
Subject: [PATCH] html-encode dynamic values in buypoints.php (#364)

* add html encoding function

* html-encode dynamic values

important if the values contain special characters like '&<>"

(for example if $config['site_title'] is `AT&T` or `<AWESOMESERVER>`, the old code would generate invalid html, but this updated code will generate valid html.)
---
 buypoints.php               | 34 +++++++++++++++++-----------------
 engine/function/general.php |  4 ++++
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/buypoints.php b/buypoints.php
index 6b4b275..e61cbdd 100644
--- a/buypoints.php
+++ b/buypoints.php
@@ -31,19 +31,19 @@ if ($paypal['enabled']) {
 		<td>
 			<form action="https://www.paypal.com/cgi-bin/webscr" method="POST">
 				<input type="hidden" name="cmd" value="_xclick">
-				<input type="hidden" name="business" value="<?php echo $paypal['email']; ?>">
-				<input type="hidden" name="item_name" value="<?php echo $points .' shop points on '. $config['site_title']; ?>">
+				<input type="hidden" name="business" value="<?php echo hhb_tohtml($paypal['email']); ?>">
+				<input type="hidden" name="item_name" value="<?php echo $points .' shop points on '. hhb_tohtml($config['site_title']); ?>">
 				<input type="hidden" name="item_number" value="1">
 				<input type="hidden" name="amount" value="<?php echo $price; ?>">
 				<input type="hidden" name="no_shipping" value="1">
 				<input type="hidden" name="no_note" value="1">
-				<input type="hidden" name="currency_code" value="<?php echo $paypal['currency']; ?>">
+				<input type="hidden" name="currency_code" value="<?php echo hhb_tohtml($paypal['currency']); ?>">
 				<input type="hidden" name="lc" value="GB">
 				<input type="hidden" name="bn" value="PP-BuyNowBF">
-				<input type="hidden" name="return" value="<?php echo $paypal['success']; ?>">
-				<input type="hidden" name="cancel_return" value="<?php echo $paypal['failed']; ?>">
+				<input type="hidden" name="return" value="<?php echo hhb_tohtml($paypal['success']); ?>">
+				<input type="hidden" name="cancel_return" value="<?php echo hhb_tohtml($paypal['failed']); ?>">
 				<input type="hidden" name="rm" value="2">
-				<input type="hidden" name="notify_url" value="<?php echo $paypal['ipn']; ?>" />
+				<input type="hidden" name="notify_url" value="<?php echo hhb_tohtml($paypal['ipn']); ?>" />
 				<input type="hidden" name="custom" value="<?php echo (int)$session_user_id; ?>">
 				<input type="submit" value="  PURCHASE  ">
 			</form>
@@ -59,13 +59,13 @@ if ($paypal['enabled']) {
 if ($config['pagseguro']['enabled'] == true) {
 ?>
 	<h2>Buy points using Pagseguro:</h2>
-	<form target="pagseguro" action="https://<?=$pagseguro['urls']['www']?>/checkout/checkout.jhtml" method="post">
-		<input type="hidden" name="email_cobranca" value="<?=$pagseguro['email']?>">
+	<form target="pagseguro" action="https://<?=hhb_tohtml($pagseguro['urls']['www'])?>/checkout/checkout.jhtml" method="post">
+		<input type="hidden" name="email_cobranca" value="<?=hhb_tohtml($pagseguro['email'])?>">
 		<input type="hidden" name="tipo" value="CP">
-		<input type="hidden" name="moeda" value="<?=$pagseguro['currency']?>">
+		<input type="hidden" name="moeda" value="<?=hhb_tohtml($pagseguro['currency'])?>">
 		<input type="hidden" name="ref_transacao" value="<?php echo (int)$session_user_id; ?>">
 		<input type="hidden" name="item_id_1" value="1">
-		<input type="hidden" name="item_descr_1" value="<?=$pagseguro['product_name']?>">
+		<input type="hidden" name="item_descr_1" value="<?=hhb_tohtml($pagseguro['product_name'])?>">
 		<input type="number" name="item_quant_1" min="1" step="4" value="1">
 		<input type="hidden" name="item_peso_1" value="0">
 		<input type="hidden" name="item_valor_1" value="<?=$pagseguro['price']?>">
@@ -80,15 +80,15 @@ if ($config['paygol']['enabled'] == true) {
 <!-- PayGol Form using Post method -->
 <h2>Buy points using Paygol:</h2>
 <?php $paygol = $config['paygol']; ?>
-<p><?php echo $paygol['price'] ." ". $paygol['currency'] ."~ for ". $paygol['points'] ." points:"; ?></p>
+<p><?php echo $paygol['price'] ." ". hhb_tohtml($paygol['currency']) ."~ for ". $paygol['points'] ." points:"; ?></p>
 <form name="pg_frm" method="post" action="http://www.paygol.com/micropayment/paynow" >
-	<input type="hidden" name="pg_serviceid" value="<?php echo $paygol['serviceID']; ?>">
-	<input type="hidden" name="pg_currency" value="<?php echo $paygol['currency']; ?>">
-	<input type="hidden" name="pg_name" value="<?php echo $paygol['name']; ?>">
-	<input type="hidden" name="pg_custom" value="<?php echo $session_user_id; ?>">
+	<input type="hidden" name="pg_serviceid" value="<?php echo hhb_tohtml($paygol['serviceID']); ?>">
+	<input type="hidden" name="pg_currency" value="<?php echo hhb_tohtml($paygol['currency']); ?>">
+	<input type="hidden" name="pg_name" value="<?php echo hhb_tohtml($paygol['name']); ?>">
+	<input type="hidden" name="pg_custom" value="<?php echo hhb_tohtml($session_user_id); ?>">
 	<input type="hidden" name="pg_price" value="<?php echo $paygol['price']; ?>">
-	<input type="hidden" name="pg_return_url" value="<?php echo $paygol['returnURL']; ?>">
-	<input type="hidden" name="pg_cancel_url" value="<?php echo $paygol['cancelURL']; ?>">
+	<input type="hidden" name="pg_return_url" value="<?php echo hhb_tohtml($paygol['returnURL']); ?>">
+	<input type="hidden" name="pg_cancel_url" value="<?php echo hhb_tohtml($paygol['cancelURL']); ?>">
 	<input type="image" name="pg_button" src="http://www.paygol.com/micropayment/img/buttons/150/black_en_pbm.png" border="0" alt="Make payments with PayGol: the easiest way!" title="Make payments with PayGol: the easiest way!">
 </form>
 <?php }
diff --git a/engine/function/general.php b/engine/function/general.php
index f5ef0e0..8a4b94b 100644
--- a/engine/function/general.php
+++ b/engine/function/general.php
@@ -559,5 +559,9 @@ function verifyGoogleReCaptcha($postResponse = null) {
 	$json = json_decode($response);
 	return isset($json->success) && $json->success;
 }
+// html encoding function (encode any string to valid UTF-8 HTML)
+function hhb_tohtml(/*string*/ $str)/*:string*/ {
+	return htmlentities($str, ENT_QUOTES | ENT_HTML401 | ENT_SUBSTITUTE | ENT_DISALLOWED, 'UTF-8', true);
+}
 
 ?>