Control panel: Escape HTML where possible

src/bot-modules/auto-invite/server-handler.js

@@ -47,8 +47,8 @@ exports.setup = function (App) {
 		}
 
 		let htmlVars = Object.create(null);
-		htmlVars.room = (App.config.modules.autoinvite.room || "");
-		htmlVars.publicroom = (App.config.modules.autoinvite.public || "");
+		htmlVars.room = Text.escapeHTML(App.config.modules.autoinvite.room || "");
+		htmlVars.publicroom = Text.escapeHTML(App.config.modules.autoinvite.public || "");
 		htmlVars.rank = getRankSelect('rank', App.config.modules.autoinvite.rank);
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
@@ -64,10 +64,10 @@ exports.setup = function (App) {
 			rank = App.config.parser[rank];
 		}
 		let html = '';
-		html += '<select name="' + name + '">';
+		html += '<select name="' + Text.escapeHTML(name) + '">';
 		for (let j = 0; j < App.config.parser.groups.length; j++) {
-			html += '<option value="' + App.config.parser.groups[j] + '"' +
-			(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + App.config.parser.groups[j] + '</option>';
+			html += '<option value="' + Text.escapeHTML(App.config.parser.groups[j]) + '"' +
+			(rank === App.config.parser.groups[j] ? ' selected="selected"' : '') + '>Group ' + Text.escapeHTML(App.config.parser.groups[j]) + '</option>';
 		}
 		html += '</select>';
 		return html;

src/bot-modules/battle-log/server-handler.js

@@ -50,12 +50,12 @@ exports.setup = function (App) {
 				App.config.modules.battlelog.maxbattles = maxbattles;
 				App.db.write();
 				App.logServerAction(context.user.id, "Set Battle Logger configuration.");
-				ok = "Changes made sucessfully.";
+				ok = "Changes made successfully.";
 			}
 		}
 
 		let htmlVars = Object.create(null);
-		htmlVars.maxbattles = (App.config.modules.battlelog.maxbattles || '0');
+		htmlVars.maxbattles = Text.escapeHTML(App.config.modules.battlelog.maxbattles || '0');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
@@ -64,13 +64,13 @@ exports.setup = function (App) {
 		let logs = App.modules.battlelog.system.getFiles();
 		for (let i = 0; i < logs.length; i++) {
 			htmlVars.log_files += '<tr>';
-			htmlVars.log_files += '<td>' + logs[i].file + '</td>';
-			htmlVars.log_files += '<td style="text-align: center; white-space: nowrap;"><a href="/battlelog/' + logs[i].file +
-				'" target="_blank" rel="noopener noreferrer"><button>View Log</button></a>&nbsp;|&nbsp;<a href="' + logs[i].psim +
+			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].file) + '</td>';
+			htmlVars.log_files += '<td style="text-align: center; white-space: nowrap;"><a href="/battlelog/' + Text.escapeHTML(logs[i].file) +
+				'" target="_blank" rel="noopener noreferrer"><button>View Log</button></a>&nbsp;|&nbsp;<a href="' + Text.escapeHTML(logs[i].psim) +
 				'" target="_blank" rel="noopener noreferrer"><button>Recreate battle</button></a></td>';
 			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].title) + '</td>';
-			htmlVars.log_files += '<td>' + logs[i].date + '</td>';
-			htmlVars.log_files += '<td>' + logs[i].size + ' KB</td>';
+			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].date) + '</td>';
+			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].size) + ' KB</td>';
 			htmlVars.log_files += '<td>' + Text.escapeHTML(logs[i].state || "-") + '</td>';
 
 			htmlVars.log_files += '</tr>';

src/bot-modules/battle/server-handler.js

@@ -84,14 +84,14 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.maxbattles = Config.maxBattles;
-		htmlVars.maxladder = Config.ladderBattles;
-		htmlVars.maxturns = Config.maxTurns || 0;
+		htmlVars.maxbattles = Text.escapeHTML(Config.maxBattles);
+		htmlVars.maxladder = Text.escapeHTML(Config.ladderBattles);
+		htmlVars.maxturns = Text.escapeHTML(Config.maxTurns || 0);
 		htmlVars.jointours = Object.keys(Config.joinTours).join(', ');
 		htmlVars.join_abandoned = (!Config.ignoreAbandonedbattles ? "checked=\"checked\"" : "");
-		htmlVars.initmsg = Config.initBattleMsg.join('\n');
-		htmlVars.winmsg = Config.winmsg.join('\n');
-		htmlVars.losemsg = Config.losemsg.join('\n');
+		htmlVars.initmsg = Text.escapeHTML(Config.initBattleMsg.join('\n'));
+		htmlVars.winmsg = Text.escapeHTML(Config.winmsg.join('\n'));
+		htmlVars.losemsg = Text.escapeHTML(Config.losemsg.join('\n'));
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
@@ -152,9 +152,9 @@ exports.setup = function (App) {
 			try {
 				check(!mod.ChallManager.challenges || !mod.ChallManager.challenges.challengeTo, "There is a pending challenge request");
 				check(user, "You must specify an user to send the challenge");
-				check(App.bot.formats[format] && App.bot.formats[format].chall, "Format " + format + " is not available for challenges");
-				check(team || !App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No teams available for " + format);
-				check(!team || mod.TeamBuilder.dynTeams[team], "Team " + team + " not found");
+				check(App.bot.formats[format] && App.bot.formats[format].chall, "Format " + Text.escapeHTML(format) + " is not available for challenges");
+				check(team || !App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No teams available for " + Text.escapeHTML(format));
+				check(!team || mod.TeamBuilder.dynTeams[team], "Team " + Text.escapeHTML(team) + " not found");
 			} catch (err) {
 				error = err.message;
 			}
@@ -173,7 +173,7 @@ exports.setup = function (App) {
 				cmds.push('|/challenge ' + user + ", " + format);
 				App.bot.send(cmds);
 				App.logServerAction(context.user.id, "Send Challenge: " + user + " | " + format + " | " + (team || "-"));
-				ok = "Challenge request sent to " + user;
+				ok = "Challenge request sent to " + Text.escapeHTML(user);
 			}
 		} else if (context.post.cancelchall) {
 			if (mod.ChallManager.challenges && mod.ChallManager.challenges.challengeTo) {
@@ -218,7 +218,7 @@ exports.setup = function (App) {
 				check(!mod.LadderManager.laddering, "Already laddering");
 				check(format, "You must specify a format");
 				check(App.bot.formats[format] && App.bot.formats[format].ladder, "Invalid Format");
-				check(!App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No available teams for " + format);
+				check(!App.bot.formats[format].team || mod.TeamBuilder.hasTeam(format), "No available teams for " + Text.escapeHTML(format));
 				check(!isNaN(seconds) && seconds > 0, "Invalid interval");
 			} catch (err) {
 				error = err.message;
@@ -227,7 +227,7 @@ exports.setup = function (App) {
 			if (!error) {
 				mod.LadderManager.start(format, seconds * 1000);
 				App.logServerAction(context.user.id, "Start Laddering. Format: " + format + ", interval: " + seconds);
-				ok = 'Laddering in format: ' + App.bot.formats[format].name;
+				ok = 'Laddering in format: ' + Text.escapeHTML(App.bot.formats[format].name);
 			}
 		} else if (context.post.stopladder) {
 			try {
@@ -287,7 +287,7 @@ exports.setup = function (App) {
 				mod.TeamBuilder.saveTeams();
 				mod.TeamBuilder.mergeTeams();
 				App.logServerAction(context.user.id, "Delete Team: " + id);
-				ok = 'Team <strong>' + id + '</strong> deleted successfully';
+				ok = 'Team <strong>' + Text.escapeHTML(id) + '</strong> deleted successfully';
 			} else {
 				error = "Team not found";
 			}
@@ -317,7 +317,7 @@ exports.setup = function (App) {
 				mod.TeamBuilder.saveTeams();
 				mod.TeamBuilder.mergeTeams();
 				App.logServerAction(context.user.id, "Add Team: " + id);
-				ok = 'Team <strong>' + id + '</strong> added successfully';
+				ok = 'Team <strong>' + Text.escapeHTML(id) + '</strong> added successfully';
 			}
 		}
 
@@ -340,9 +340,9 @@ exports.setup = function (App) {
 			}
 			if (selectedFormat && selectedFormat !== teams[id].format) continue;
 			htmlVars.teams += teamsItemTemplate.make({
-				id: id,
+				id: Text.escapeHTML(id),
 				format: Text.escapeHTML(formatName),
-				pokemon: Teams.teamOverview(teams[id].packed),
+				pokemon: Text.escapeHTML(Teams.teamOverview(teams[id].packed)),
 			});
 		}
 

src/bot-modules/blacklist/server-handler.js

@@ -49,7 +49,7 @@ exports.setup = function (App) {
 				}
 				App.modules.blacklist.system.db.write();
 				App.logServerAction(context.user.id, "Edit Blacklist: " + room);
-				ok = "Blacklist saved for room " + room;
+				ok = "Blacklist saved for room " + Text.escapeHTML(room);
 			} else {
 				error = "You must specify a room";
 			}
@@ -60,9 +60,9 @@ exports.setup = function (App) {
 					App.modules.blacklist.system.data[room] = Object.create(null);
 					App.modules.blacklist.system.db.write();
 					App.logServerAction(context.user.id, "Added blacklist: " + room);
-					ok = "Added blacklist for room " + room;
+					ok = "Added blacklist for room " + Text.escapeHTML(room);
 				} else {
-					error = "Room " + room + " already has a blacklist";
+					error = "Room " + Text.escapeHTML(room) + " already has a blacklist";
 				}
 			} else {
 				error = "You must specify a room";
@@ -75,8 +75,8 @@ exports.setup = function (App) {
 		let data = App.modules.blacklist.system.data;
 		for (let room in data) {
 			htmlVars.rooms += roomTemplate.make({
-				room: room,
-				blacklist: Object.keys(data[room]).join(', '),
+				room: Text.escapeHTML(room),
+				blacklist: Text.escapeHTML(Object.keys(data[room]).join(', ')),
 			});
 		}
 

src/bot-modules/chat-logger/handlers/logs-config.js

@@ -56,10 +56,10 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.rooms = Object.keys(App.config.modules.chatlogger.rooms).join(', ');
+		htmlVars.rooms = Text.escapeHTML(Object.keys(App.config.modules.chatlogger.rooms).join(', '));
 		htmlVars.logpm = (App.config.modules.chatlogger.logpm ? ' checked="checked"' : '');
 		htmlVars.loggroupchats = (App.config.modules.chatlogger.logGroupChats ? ' checked="checked"' : '');
-		htmlVars.age = App.config.modules.chatlogger.maxold;
+		htmlVars.age = Text.escapeHTML(App.config.modules.chatlogger.maxold);
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));

src/bot-modules/core/commands/cmd-admin.translations

@@ -8,7 +8,7 @@ $0 = The command
 $1 = does not exists
 $2 = The alias
 $3 = now references the command
-$4 = was removed sucessfully
+$4 = was removed successfully
 $5 = was not found
 $6 = This command is only available for chat rooms
 $7 = Language for room

src/bot-modules/core/handlers/autojoin.js

@@ -36,7 +36,7 @@ function setup(App) {
 			App.config.modules.core.joinall = !!context.post.joinall;
 			App.db.write();
 			App.logServerAction(context.user.id, 'Edit Bot Autojoin details (Core Module)');
-			ok = "Bot Auto-Join details have been set sucessfully. Restart the bot to make them effective.";
+			ok = "Bot Auto-Join details have been set successfully. Restart the bot to make them effective.";
 
 			let cmds = [];
 
@@ -55,11 +55,11 @@ function setup(App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.rooms = (App.config.modules.core.rooms || []).join(', ');
-		htmlVars.privaterooms = (App.config.modules.core.privaterooms || []).join(', ');
+		htmlVars.rooms = Text.escapeHTML((App.config.modules.core.rooms || []).join(', '));
+		htmlVars.privaterooms = Text.escapeHTML((App.config.modules.core.privaterooms || []).join(', '));
 
-		htmlVars.avatar = (App.config.modules.core.avatar || '');
-		htmlVars.status = (App.config.modules.core.status || '');
+		htmlVars.avatar = Text.escapeHTML(App.config.modules.core.avatar || '');
+		htmlVars.status = Text.escapeHTML(App.config.modules.core.status || '');
 
 		htmlVars.joinofficial = App.config.modules.core.joinofficial ? 'checked="checked"' : '';
 		htmlVars.joinall = App.config.modules.core.joinall ? 'checked="checked"' : '';

src/bot-modules/core/handlers/login.js

@@ -39,7 +39,7 @@ function setup(App) {
 				App.config.modules.core.pass = pass;
 				App.db.write();
 				App.logServerAction(context.user.id, 'Edit Bot Login details (Core Module)');
-				ok = "Bot login details have been set sucessfully. Restart the bot to make them effective.";
+				ok = "Bot login details have been set successfully. Restart the bot to make them effective.";
 			}
 		}
 

src/bot-modules/games/trivia/server-handler.js

@@ -7,6 +7,7 @@
 const Path = require('path');
 const check = Tools('check');
 const Template = Tools('html-template');
+const Text = Tools('text');
 
 const mainTemplate = new Template(Path.resolve(__dirname, 'template.html'));
 const questionTemplate = new Template(Path.resolve(__dirname, 'template-question.html'));
@@ -105,9 +106,9 @@ exports.setup = function (App) {
 		htmlVars.questions = '';
 		for (let id in mod.data) {
 			htmlVars.questions += questionTemplate.make({
-				id: id,
-				clue: mod.data[id].clue,
-				answers: mod.data[id].answers.join(', '),
+				id: Text.escapeHTML(id),
+				clue: Text.escapeHTML(mod.data[id].clue),
+				answers: Text.escapeHTML(mod.data[id].answers.join(', ')),
 			});
 		}
 

src/bot-modules/games/wordgames/server-handler.js

@@ -7,6 +7,7 @@
 const Path = require('path');
 const check = Tools('check');
 const Template = Tools('html-template');
+const Text = Tools('text');
 
 const mainTemplate = new Template(Path.resolve(__dirname, 'template.html'));
 const groupTemplate = new Template(Path.resolve(__dirname, 'template-group.html'));
@@ -53,7 +54,7 @@ exports.setup = function (App) {
 				mod.data[group] = words;
 				mod.db.write();
 				App.logServerAction(context.user.id, "Words of Games: Add");
-				ok = "Group <strong>" + group + "</strong> added sucessfully.";
+				ok = "Group <strong>" + Text.escapeHTML(group) + "</strong> added successfully.";
 			}
 		} else if (context.post.delgroup) {
 			let group = (context.post.wordgroup || "");
@@ -68,7 +69,7 @@ exports.setup = function (App) {
 				delete mod.data[group];
 				mod.db.write();
 				App.logServerAction(context.user.id, "Words of Games: Delete");
-				ok = "Group <strong>" + group + "</strong> deleted sucessfully.";
+				ok = "Group <strong>" + Text.escapeHTML(group) + "</strong> deleted successfully.";
 			}
 		} else if (context.post.edit) {
 			let group = (context.post.wordgroup || "");
@@ -93,7 +94,7 @@ exports.setup = function (App) {
 				mod.data[group] = words;
 				mod.db.write();
 				App.logServerAction(context.user.id, "Words of Games: Edit");
-				ok = "Group <strong>" + group + "</strong> sucessfully modified.";
+				ok = "Group <strong>" + Text.escapeHTML(group) + "</strong> successfully modified.";
 			}
 		}
 
@@ -102,13 +103,12 @@ exports.setup = function (App) {
 		htmlVars.groups = '';
 		for (let group in mod.data) {
 			htmlVars.groups += groupTemplate.make({
-				group: group,
-				jsongroup: JSON.stringify(group),
-				words: mod.data[group].join(', '),
+				group: Text.escapeHTML(group),
+				words: Text.escapeHTM(mod.data[group].join(', ')),
 			});
 		}
 
-		htmlVars.words = (errAdd ? (context.post.words || "") : '');
+		htmlVars.words = Text.escapeHTML(errAdd ? (context.post.words || "") : '');
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));
 		htmlVars.request_msg = (ok ? ok : (error || ""));
 

src/bot-modules/games/wordgames/template-group.html

@@ -1,7 +1,7 @@
 <hr />
 <form method="post" action="">
 	<p>Group <strong>${GROUP}</strong> (words separated by commas)</p>
-	<input type="hidden" name="wordgroup" value=${JSONGROUP} />
+	<input type="hidden" name="wordgroup" value=${GROUP} />
 	<p><textarea name="words" cols="100" rows="3">${WORDS}</textarea></p>
 	<p><input type="submit" name="edit" value="Edit Group" /></p>
 </form>

src/bot-modules/github/server-handler.js

@@ -59,10 +59,10 @@ exports.setup = function (App) {
 
 		let htmlVars = Object.create(null);
 
-		htmlVars.room = config.room;
-		htmlVars.port = config.port;
-		htmlVars.secret = config.secret;
-		htmlVars.bl = Object.keys(config.blacklist).join(', ');
+		htmlVars.room = Text.escapeHTML(config.room);
+		htmlVars.port = Text.escapeHTML(config.port);
+		htmlVars.secret = Text.escapeHTML(config.secret);
+		htmlVars.bl = Text.escapeHTML(Object.keys(config.blacklist).join(', '));
 		htmlVars.enabled = (config.enabled ? ' checked="checked"' : '');
 
 		htmlVars.request_result = (ok ? 'ok-msg' : (error ? 'error-msg' : ''));