From 6af2c4ad0e288fae5702e96391657d173bba2297 Mon Sep 17 00:00:00 2001
From: Matthew Noorenberghe <github@matthew.noorenberghe.com>
Date: Sat, 9 Feb 2019 18:06:21 -0800
Subject: [PATCH] Escape output of WEB_TITLE, HOME_URL, HOME_CONTENT, &
 WEB_CONSOLE_BANNER. Fixes #2468

---
 web/skins/classic/includes/functions.php | 8 ++++----
 web/skins/classic/views/login.php        | 2 +-
 web/skins/classic/views/logout.php       | 2 +-
 web/skins/classic/views/none.php         | 2 +-
 web/skins/classic/views/postlogin.php    | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/web/skins/classic/includes/functions.php b/web/skins/classic/includes/functions.php
index 703cd49d3..063977942 100644
--- a/web/skins/classic/includes/functions.php
+++ b/web/skins/classic/includes/functions.php
@@ -57,7 +57,7 @@ function xhtmlHeaders( $file, $title ) {
 <head>
   <meta charset="utf-8">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
-  <title><?php echo ZM_WEB_TITLE_PREFIX ?> - <?php echo validHtmlStr($title) ?></title>
+  <title><?php echo validHtmlStr(ZM_WEB_TITLE_PREFIX); ?> - <?php echo validHtmlStr($title) ?></title>
 <?php
 if ( file_exists( "skins/$skin/css/$css/graphics/favicon.ico" ) ) {
   echo "
@@ -207,7 +207,7 @@ function getBodyTopHTML() {
 <body>
 <noscript>
 <div style="background-color:red;color:white;font-size:x-large;">
-'. ZM_WEB_TITLE .' requires Javascript. Please enable Javascript in your browser for this site.
+'. validHtmlStr(ZM_WEB_TITLE) .' requires Javascript. Please enable Javascript in your browser for this site.
 
 </div>
 </noscript>
@@ -254,7 +254,7 @@ function getNavBarHTML($reload = null) {
 				<span class="icon-bar"></span>
 				<span class="icon-bar"></span>
 			</button>
-      <div class="navbar-brand"><a href="<?php echo ZM_HOME_URL?>" target="<?php echo ZM_WEB_TITLE ?>"><?php echo ZM_HOME_CONTENT ?></a></div>
+      <div class="navbar-brand"><a href="<?php echo validHtmlStr(ZM_HOME_URL); ?>" target="<?php echo validHtmlStr(ZM_WEB_TITLE); ?>"><?php echo validHtmlStr(ZM_HOME_CONTENT); ?></a></div>
 		</div>
 
 		<div class="collapse navbar-collapse" id="main-header-nav">
@@ -383,7 +383,7 @@ if ($reload == 'reload') ob_start();
 ?></li>
   </ul>
     <?php if ( defined('ZM_WEB_CONSOLE_BANNER') and ZM_WEB_CONSOLE_BANNER != '' ) { ?>
-        <h3 id="development"><?php echo ZM_WEB_CONSOLE_BANNER ?></h3>
+        <h3 id="development"><?php echo validHtmlStr(ZM_WEB_CONSOLE_BANNER); ?></h3>
     <?php } ?>	
 <!-- End .footer/reload --></div>
 <?php
diff --git a/web/skins/classic/views/login.php b/web/skins/classic/views/login.php
index c40f50615..43da81be1 100644
--- a/web/skins/classic/views/login.php
+++ b/web/skins/classic/views/login.php
@@ -16,7 +16,7 @@ xhtmlHeaders(__FILE__, translate('Login') );
 
 			<div id="loginform">
 
-        <h1><i class="material-icons md-36">account_circle</i> <?php echo ZM_WEB_TITLE . ' ' . translate('Login') ?></h1>
+        <h1><i class="material-icons md-36">account_circle</i> <?php echo validHtmlStr(ZM_WEB_TITLE) . ' ' . translate('Login') ?></h1>
 	
 				<label for="inputUsername" class="sr-only"><?php echo translate('Username') ?></label>
 				<input type="text" id="inputUsername" name="username" class="form-control" placeholder="Username" required autofocus />
diff --git a/web/skins/classic/views/logout.php b/web/skins/classic/views/logout.php
index 772bacd80..1b38d812f 100644
--- a/web/skins/classic/views/logout.php
+++ b/web/skins/classic/views/logout.php
@@ -25,7 +25,7 @@ xhtmlHeaders(__FILE__, translate('Logout') );
 <body>
   <div id="page">
     <div id="header">
-      <h1><?php echo ZM_WEB_TITLE . ' ' . translate('Logout') ?></h1>
+      <h1><?php echo validHtmlStr(ZM_WEB_TITLE) . ' ' . translate('Logout') ?></h1>
     </div>
     <div id="content">
       <form name="contentForm" id="contentForm" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>">
diff --git a/web/skins/classic/views/none.php b/web/skins/classic/views/none.php
index da04ed19b..1213b44d5 100644
--- a/web/skins/classic/views/none.php
+++ b/web/skins/classic/views/none.php
@@ -25,7 +25,7 @@ $skinJsFile = getSkinFile('js/skin.js');
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <title><?php echo ZM_WEB_TITLE_PREFIX ?></title>
+  <title><?php echo validHtmlStr(ZM_WEB_TITLE_PREFIX); ?></title>
   <script nonce="<?php echo $cspNonce ?>">
 <?php
 require_once($skinJsPhpFile);
diff --git a/web/skins/classic/views/postlogin.php b/web/skins/classic/views/postlogin.php
index f57d5335c..f183aa62f 100644
--- a/web/skins/classic/views/postlogin.php
+++ b/web/skins/classic/views/postlogin.php
@@ -23,7 +23,7 @@ xhtmlHeaders(__FILE__, translate('LoggingIn') );
 <body>
   <div id="page">
     <div id="header">
-      <h1><?php echo ZM_WEB_TITLE . ' ' . translate('Login') ?></h1>
+      <h1><?php echo validHtmlStr(ZM_WEB_TITLE) . ' ' . translate('Login') ?></h1>
     </div>
     <div id="content">
       <h2><?php echo translate('LoggingIn') ?></h2>