release 1.1.9.1: fix XSS function lost in rebuild of always.php

VERSION

@@ -1 +1 @@
-1.1.9
+1.1.9.1

htdocs/always.php

@@ -8,6 +8,47 @@
 
 if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');
 
+// XSS Protection
+function filter_post(&$val, $index) {
+    if(in_array($index, ["newpass1", "newpass2"])) return;
+
+    switch (gettype($val)) {
+        case "string":
+            $val = htmlspecialchars($val);
+            break;
+
+        case "array":
+            array_walk_recursive($val, function(&$v) {
+                if (gettype($v) == "string") {
+                    $v = htmlspecialchars($v);
+                }
+            });
+            break;
+    }
+}
+
+function clean_get() {
+    $temp = [];
+
+    foreach($_GET as $key => $value) {
+        // XSS is possible in both key and values
+        $k = htmlspecialchars($key);
+        $v = htmlspecialchars($value);
+        $temp[$k] = $v;
+    }
+
+    return $temp;
+}
+
+// Before anything else is executed we filter all the user input, a lot of code in this project
+// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
+if(isset($_POST)) array_walk($_POST, 'filter_post');
+$_GET = clean_get();
+$_SERVER['REQUEST_URI'] = str_replace("&", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
+$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
+
+
+
 // Ensure the configuration starts out as an empty object.
 $c = (object) array();
 $c->script_start_time = microtime(true);
@@ -246,7 +287,7 @@ if ( function_exists('awl_set_locale') ) {
 */
 $c->code_version = 0;
 $c->want_awl_version = '0.60';
-$c->version_string = '1.1.9'; // The actual version # is replaced into that during the build /release process
+$c->version_string = '1.1.9.1'; // The actual version # is replaced into that during the build /release process
 if ( isset($c->version_string) && preg_match( '/(\d+)\.(\d+)\.(\d+)(.*)/', $c->version_string, $matches) ) {
   $c->code_major = $matches[1];
   $c->code_minor = $matches[2];

inc/always.php.in

@@ -8,6 +8,47 @@
 
 if ( preg_match('{/always.php$}', $_SERVER['SCRIPT_NAME'] ) ) header('Location: index.php');
 
+// XSS Protection
+function filter_post(&$val, $index) {
+    if(in_array($index, ["newpass1", "newpass2"])) return;
+
+    switch (gettype($val)) {
+        case "string":
+            $val = htmlspecialchars($val);
+            break;
+
+        case "array":
+            array_walk_recursive($val, function(&$v) {
+                if (gettype($v) == "string") {
+                    $v = htmlspecialchars($v);
+                }
+            });
+            break;
+    }
+}
+
+function clean_get() {
+    $temp = [];
+
+    foreach($_GET as $key => $value) {
+        // XSS is possible in both key and values
+        $k = htmlspecialchars($key);
+        $v = htmlspecialchars($value);
+        $temp[$k] = $v;
+    }
+
+    return $temp;
+}
+
+// Before anything else is executed we filter all the user input, a lot of code in this project
+// relies on variables that are easily manipulated by the user. These lines and functions filter all those variables.
+if(isset($_POST)) array_walk($_POST, 'filter_post');
+$_GET = clean_get();
+$_SERVER['REQUEST_URI'] = str_replace("&", "&", htmlspecialchars($_SERVER['REQUEST_URI']));
+$_SERVER['HTTP_REFERER'] = htmlspecialchars($_SERVER['HTTP_REFERER']);
+
+
+
 // Ensure the configuration starts out as an empty object.
 $c = (object) array();
 $c->script_start_time = microtime(true);