Tightening protection against XSS. See #10
Tightening protection against XSS. See #10

--- a/conf/notifications.php
+++ b/conf/notifications.php
@@ -41,7 +41,7 @@
 $notifs->addCredTypeFail->text = 'Credential Type Not Stored';
 
 $notifs->NoCredTypes->className = 'alert alert-info';
-$notifs->NoCredTypes->text = "You need to specify some Credential Types in System Settings before you can add Credentials</div><script type='text/javascript'>noCredTypes();</script>";
+$notifs->NoCredTypes->text = "You need to specify some Credential Types in System Settings before you can add Credentials<script type='text/javascript'>noCredTypes();</script>";
 $notifs->NoCredTypes->id = 'CredTypeNeedsAdding';
 
 $notifs->UserStoreSuccess->className = 'alert alert-success';
@@ -84,3 +84,4 @@
 
 
 ?>
+

--- a/lib/API.php
+++ b/lib/API.php
@@ -8,7 +8,7 @@
 */
 defined('_CREDLOCK') or die;
 
-if(!ob_start("ob_gzhandler")) ob_start();
+ob_start();
 
 require_once 'lib/lang.php';
 require_once 'lib/auth.class.php';
@@ -81,16 +81,17 @@
     $key = 'Cre'.$cred->CredType;
 
     // Build the response
-    $pass = $crypt->decrypt($cred->Hash,$key);
-    $address = $crypt->decrypt($cred->Address,$key);
+    $pass = htmlspecialchars($crypt->decrypt($cred->Hash,$key));
+    $address = htmlspecialchars($crypt->decrypt($cred->Address,$key));
+    $uname = htmlspecialchars($crypt->decrypt($cred->UName,$key));
 
       if ($cred->Clicky){
 	  $pass = "<a href='$pass' target=_blank title='Click to Open'>$pass</a>";
       }
 
 
-    echo htmlspecialchars($pass).$opDivider."<a href='$address' target=_blank>".htmlspecialchars($address)."</a>" .$opDivider. 
-	 htmlspecialchars($crypt->decrypt($cred->UName,$key)) . $opDivider;
+    echo $pass.$opDivider."<a href='$address' target=_blank>".$address."</a>" .$opDivider. 
+	 $uname . $opDivider;
 
 
     // Call any configured plugins

--- a/lib/Handler.php
+++ b/lib/Handler.php
@@ -41,7 +41,7 @@
     }
 
 
-	if ($auth->ProcessLogIn(BTMain::getVar('FrmUsername'),$pass)){
+	if ($auth->ProcessLogIn(htmlspecialchars(BTMain::getVar('FrmUsername')),$pass)){
 	    // Login successful
 	    header('Location: index.php?notif=LoginSuccess');
 	  }else{

--- a/lib/includes/groupSelection.php
+++ b/lib/includes/groupSelection.php
@@ -30,7 +30,7 @@
 ?> 
 <label for="frmGroup">Group</label><select name="frmGroup" id="frmGroup">
 <option value='null'> -- Select Group --</option>
-<option value="0" <?php if ($preselect == 0){ echo "selected";}>All users</option>
+<option value="0" <?php if (isset($preselect) && $preselect == 0){ echo "selected";}?>>All users</option>
 <?php
 
 foreach ($groups as $group){

--- a/views/Creds/edit.php
+++ b/views/Creds/edit.php
@@ -121,7 +121,7 @@
 <?php if ($credtype == $cred->id):?>
 selected
 <?php endif; ?>
-><?php echo $crypt->decrypt($cred->Name,'CredType');?></option>
+><?php echo htmlspecialchars($crypt->decrypt($cred->Name,'CredType'));?></option>
 <?php
 
 }

--- a/views/Customer/add.php
+++ b/views/Customer/add.php
@@ -16,7 +16,7 @@
 
 $db = new CustDB;
 
-if ($db->addCustomer(BTMain::getVar('FrmName'),BTMain::getVar('frmGroup'),BTMain::getVar('FrmconName'),BTMain::getVar('FrmSurname'),BTMain::getVar('FrmEmail'))){
+if ($db->addCustomer(htmlspecialchars(BTMain::getVar('FrmName')),BTMain::getVar('frmGroup'),htmlspecialchars(BTMain::getVar('FrmconName')),htmlspecialchars(BTMain::getVar('FrmSurname')),htmlspecialchars(BTMain::getVar('FrmEmail')))){
 
 
 $notifications->setNotification("addCustSuccess");

--- a/views/Customer/edit.php
+++ b/views/Customer/edit.php
@@ -18,7 +18,7 @@
 
 
 
-if ($db->editCustomer(BTMain::getVar('id'),BTMain::getVar('FrmName'),BTMain::getVar('frmGroup'),BTMain::getVar('FrmconName'),BTMain::getVar('FrmSurname'),BTMain::getVar('FrmEmail'))){
+if ($db->editCustomer(BTMain::getVar('id'),htmlspecialchars(BTMain::getVar('FrmName')),BTMain::getVar('frmGroup'),htmlspecialchars(BTMain::getVar('FrmconName')),htmlspecialchars(BTMain::getVar('FrmSurname')),htmlspecialchars(BTMain::getVar('FrmEmail')))){
 
 
 $notifications->setNotification("EditCustSuccess");

--- a/views/Group/add.php
+++ b/views/Group/add.php
@@ -16,7 +16,7 @@
 if (BTMain::getVar('GrpAddSubmitted')){
 
 $auth = new ProgAuth;
-if ($auth->addGroup(BTMain::getVar('frmName'))){
+if ($auth->addGroup(htmlspecialchars(BTMain::getVar('frmName')))){
 $notifications->setNotification("addGroupSuccess");
 
 }else{

--- a/views/Group/edit.php
+++ b/views/Group/edit.php
@@ -20,7 +20,7 @@
 if (BTMain::getVar('GrpEditSubmitted')){
 
 
-if ($auth->editGroup(BTMain::getVar('id'),BTMain::getVar('frmName'))){
+if ($auth->editGroup(BTMain::getVar('id'),htmlspecialchars(BTMain::getVar('frmName')))){
 $notifications->setNotification("addGroupSuccess");
 
 }else{

--- a/views/user/add.php
+++ b/views/user/add.php
@@ -48,7 +48,7 @@
 
 $authname = new ProgAuth;
 
-if ($authname->createUser($username,$pass,$RName, $groups)){
+if ($authname->createUser(htmlspecialchars($username),$pass,htmlspecialchars($RName), $groups)){
 
 
 

--- a/views/user/edit.php
+++ b/views/user/edit.php
@@ -47,7 +47,7 @@
 
 $authname = new ProgAuth;
 
-    if ($authname->editUser($username,$pass,$RName, $groups)){
+    if ($authname->editUser(htmlspecialchars($username),$pass,htmlspecialchars($RName), $groups)){
     $notifications->setNotification('UserStoreSuccess');
     }else{
     $notifications->setNotification('UserStoreFail');