From fd8f1659b5113729ae6ebedf8e02c314ea180369 Mon Sep 17 00:00:00 2001
From: Dan Hemberger <daniel.hemberger@gmail.com>
Date: Wed, 27 Sep 2023 23:40:13 -0700
Subject: [PATCH] Escape vote questions in HTML display

Admin vote questions are now properly escaped. All strings input by
users should be escaped!

Also removed escaping of int `$Days` since only strings can be escaped.
---
 .../Default/engine/Default/admin/vote_create.php     | 12 ++++++++----
 src/templates/Default/engine/Default/game_play.php   |  2 +-
 src/templates/Default/engine/Default/vote.php        |  2 +-
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/templates/Default/engine/Default/admin/vote_create.php b/src/templates/Default/engine/Default/admin/vote_create.php
index fb3cc347a..61dbcda18 100644
--- a/src/templates/Default/engine/Default/admin/vote_create.php
+++ b/src/templates/Default/engine/Default/admin/vote_create.php
@@ -1,9 +1,13 @@
 <?php declare(strict_types=1);
 
-if (isset($PreviewVote)) { ?><table class="standard"><tr><td><?php echo bbify($PreviewVote); ?></td></tr></table><?php } ?>
+/**
+ * @var ?int $Days
+ */
+
+if (isset($PreviewVote)) { ?><table class="standard"><tr><td><?php echo bbify(htmlentities($PreviewVote)); ?></td></tr></table><?php } ?>
 <form name="VoteForm" method="POST" action="<?php echo $VoteFormHREF; ?>">
-	Question: <input type="text" name="question" required value="<?php if (isset($PreviewVote)) { echo htmlspecialchars($PreviewVote); } ?>" /><br />
-	Days to end: <input type="number" name="days" required value="<?php if (isset($Days)) { echo htmlspecialchars($Days); } ?>" /><br />
+	Question: <input type="text" name="question" required value="<?php if (isset($PreviewVote)) { echo bbify(htmlentities($PreviewVote)); } ?>" /><br />
+	Days to end: <input type="number" name="days" required value="<?php if (isset($Days)) { echo $Days; } ?>" /><br />
 	<input type="submit" name="action" value="Create Vote" />&nbsp;<input type="submit" name="action" value="Preview Vote" />
 </form>
 <br /><br />
@@ -12,7 +16,7 @@
 <form name="VoteForm" method="POST" action="<?php echo $VoteFormHREF; ?>">
 	Vote: <select id="vote" name="vote"><?php
 		foreach ($CurrentVotes as $CurrentVote) {
-			?><option value="<?php echo $CurrentVote['ID']; ?>"<?php if (isset($VoteID) && $CurrentVote['ID'] === $VoteID) { ?>selected="selected"<?php } ?>><?php echo bbify($CurrentVote['Question']); ?></option><?php
+			?><option value="<?php echo $CurrentVote['ID']; ?>"<?php if (isset($VoteID) && $CurrentVote['ID'] === $VoteID) { ?>selected="selected"<?php } ?>><?php echo bbify(htmlentities($CurrentVote['Question'])); ?></option><?php
 		} ?>
 	</select><br />
 	Option: <input type="text" name="option" required value="<?php if (isset($PreviewOption)) { echo htmlspecialchars($PreviewOption); } ?>" /><br />
diff --git a/src/templates/Default/engine/Default/game_play.php b/src/templates/Default/engine/Default/game_play.php
index 948cd96b7..270a763fd 100644
--- a/src/templates/Default/engine/Default/game_play.php
+++ b/src/templates/Default/engine/Default/game_play.php
@@ -96,7 +96,7 @@
 	foreach ($Voting as $Vote) {
 		?><br /><br />
 		<form name="FORM" method="POST" action="<?php echo $Vote['HREF'] ?>">
-			<span class="bold"><?php echo bbify($Vote['Question']); ?></span> (<?php echo $Vote['TimeRemaining']; ?> Remaining)<br /><?php
+			<span class="bold"><?php echo bbify(htmlentities($Vote['Question'])); ?></span> (<?php echo $Vote['TimeRemaining']; ?> Remaining)<br /><?php
 			foreach ($Vote['Options'] as $VoteOption) { ?>
 				<input type="radio" name="vote" required value="<?php echo $VoteOption['ID']; ?>"<?php if ($VoteOption['Chosen']) { ?> checked<?php } ?>><?php echo bbify($VoteOption['Text']); ?> (<?php echo $VoteOption['Votes']; ?> votes)<br /><?php
 			} ?>
diff --git a/src/templates/Default/engine/Default/vote.php b/src/templates/Default/engine/Default/vote.php
index bb070242a..297967dee 100644
--- a/src/templates/Default/engine/Default/vote.php
+++ b/src/templates/Default/engine/Default/vote.php
@@ -5,7 +5,7 @@
 	foreach ($Voting as $Vote) {
 		?><br /><br />
 		<form name="FORM" method="POST" action="<?php echo $Vote['HREF'] ?>">
-			<span class="bold"><?php echo bbify($Vote['Question']); ?></span> <?php if (isset($Vote['TimeRemaining'])) { ?>(<?php echo $Vote['TimeRemaining']; ?> Remaining)<?php } else { ?>(Ended <?php echo $Vote['EndDate']; ?>)<?php } ?><br /><?php
+			<span class="bold"><?php echo bbify(htmlentities($Vote['Question'])); ?></span> <?php if (isset($Vote['TimeRemaining'])) { ?>(<?php echo $Vote['TimeRemaining']; ?> Remaining)<?php } else { ?>(Ended <?php echo $Vote['EndDate']; ?>)<?php } ?><br /><?php
 			foreach ($Vote['Options'] as $VoteOption) { ?>
 				<input type="radio" name="vote" <?php if (!isset($Vote['TimeRemaining'])) { ?>disabled="disabled" <?php } ?>value="<?php echo $VoteOption['ID']; ?>"<?php if ($VoteOption['Chosen']) { ?> checked<?php } ?>><?php echo bbify($VoteOption['Text']); ?> (<?php echo $VoteOption['Votes']; ?> votes)<br /><?php
 			} ?>