coa/aowow
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

PageTemplate/Fixup

Browse source 
* escape input username on user page
This commit is contained in:
Sarjuuk 2026-01-27 14:23:27 +01:00
parent 0378a84373
commit 08ae564a48
1 changed files with 2 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
endpoints/user/user.php
View file

@ -38,14 +38,10 @@ class UserBaseResponse extends TemplateResponse
if (!$rawParam)
$this->forwardToSignIn('user');
if ($user = DB::Aowow()->selectRow('SELECT a.`id`, a.`username`, a.`consecutiveVisits`, a.`userGroups`, a.`avatar`, a.`avatarborder`, a.`wowicon`, a.`title`, a.`description`, a.`joinDate`, a.`prevLogin`, IFNULL(SUM(ar.`amount`), 0) AS "sumRep", a.`prevIP`, a.`email` FROM ?_account a LEFT JOIN ?_account_reputation ar ON a.`id` = ar.`userId` WHERE LOWER(a.`username`) = LOWER(?) GROUP BY a.`id`', $rawParam))
if ($user = DB::Aowow()->selectRow('SELECT a.`id`, a.`username`, a.`consecutiveVisits`, a.`userGroups`, a.`avatar`, a.`avatarborder`, a.`wowicon`, a.`title`, a.`description`, a.`joinDate`, a.`prevLogin`, IFNULL(SUM(ar.`amount`), 0) AS "sumRep", a.`prevIP`, a.`email` FROM ?_account a LEFT JOIN ?_account_reputation ar ON a.`id` = ar.`userId` WHERE a.`id` <> 0 AND LOWER(a.`username`) = LOWER(?) GROUP BY a.`id`', $rawParam))
$this->user = $user;
else
$this->generateNotFound(Lang::user('notFound', [$rawParam]));
// do not display system account
if (!$this->user['id'])
$this->generateNotFound(Lang::user('notFound', [$rawParam]));
$this->generateNotFound(Lang::user('notFound', [Util::htmlEscape($rawParam)]));
}
protected function generate() : void