From 04540c50dc912bad6f6ff75205e189cff24bb276 Mon Sep 17 00:00:00 2001
From: lastlink <theefunk@gmail.com>
Date: Mon, 11 Oct 2021 13:48:59 -0400
Subject: [PATCH 1/3] php code scan

---
 .github/workflows/pslam.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 .github/workflows/pslam.yml

diff --git a/.github/workflows/pslam.yml b/.github/workflows/pslam.yml
new file mode 100644
index 0000000..c42d65d
--- /dev/null
+++ b/.github/workflows/pslam.yml
@@ -0,0 +1,24 @@
+name: Psalm Security Scan
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+
+jobs:
+  psalm:
+    name: Psalm
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Psalm Security Scan
+        uses: docker://ghcr.io/psalm/psalm-security-scan
+        
+      - name: Upload Security Analysis results to GitHub
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: results.sarif
\ No newline at end of file

From f9d81d18cf44a003511527fd936cbcb814c8037c Mon Sep 17 00:00:00 2001
From: lastlink <theefunk@gmail.com>
Date: Mon, 11 Oct 2021 13:58:03 -0400
Subject: [PATCH 2/3] cleanup

---
 .github/workflows/pslam.yml                   |  4 ++
 .../snyk-infrastructure-analysis.yml          | 42 -------------------
 2 files changed, 4 insertions(+), 42 deletions(-)
 delete mode 100644 .github/workflows/snyk-infrastructure-analysis.yml

diff --git a/.github/workflows/pslam.yml b/.github/workflows/pslam.yml
index c42d65d..0533c39 100644
--- a/.github/workflows/pslam.yml
+++ b/.github/workflows/pslam.yml
@@ -17,6 +17,10 @@ jobs:
 
       - name: Psalm Security Scan
         uses: docker://ghcr.io/psalm/psalm-security-scan
+        with:
+          security_analysis: true
+          report_file: results.sarif
+          composer_require_dev: true
         
       - name: Upload Security Analysis results to GitHub
         uses: github/codeql-action/upload-sarif@v1
diff --git a/.github/workflows/snyk-infrastructure-analysis.yml b/.github/workflows/snyk-infrastructure-analysis.yml
deleted file mode 100644
index 43e05d5..0000000
--- a/.github/workflows/snyk-infrastructure-analysis.yml
+++ /dev/null
@@ -1,42 +0,0 @@
-# A sample workflow which checks out your Infrastructure as Code Configuration files,
-# such as Kubernetes, Helm & Terraform and scans them for any security issues.
-# The results are then uploaded to GitHub Security Code Scanning
-#
-# For more examples, including how to limit scans to only high-severity issues
-# and fail PR checks, see https://github.com/snyk/actions/
-
-name: Snyk Infrastructure as Code
-
-on:
-  push:
-    branches: [ master ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ master ]
-  schedule:
-    - cron: '42 7 * * 4'
-
-jobs:
-  snyk:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - name: Run Snyk to check configuration files for security issues
-        # Snyk can be used to break the build when it detects security issues.
-        # In this case we want to upload the issues to GitHub Code Scanning
-        continue-on-error: true
-        uses: snyk/actions/iac@master
-        env:
-          # In order to use the Snyk Action you will need to have a Snyk API token.
-          # More details in https://github.com/snyk/actions#getting-your-snyk-token
-          # or you can signup for free at https://snyk.io/login
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          # Add the path to the configuration file that you would like to test.
-          # For example `deployment.yaml` for a Kubernetes deployment manifest
-          # or `main.tf` for a Terraform configuration file
-          file: your-file-to-test.yaml
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: snyk.sarif

From 96176a46fb14d0292b1640055c0132c1e3fc458c Mon Sep 17 00:00:00 2001
From: lastlink <theefunk@gmail.com>
Date: Mon, 11 Oct 2021 14:05:53 -0400
Subject: [PATCH 3/3] fix taint

---
 view/login.php        | 2 +-
 view/registration.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/view/login.php b/view/login.php
index 5c33a43..a14fef3 100644
--- a/view/login.php
+++ b/view/login.php
@@ -33,7 +33,7 @@
         <em>Passwords must be at least 8 characters and contain at least 1 number, 1 capital letter, and 1 special character</em>
         <br>
 
-        <input type="password" name="clientPassword" id="clientPassword" pattern="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$" <?php echo (isset($clientPassword)) ? "value='$clientPassword'" : "" ?> required>
+        <input type="password" name="clientPassword" id="clientPassword" pattern="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$" <?php echo htmlentities(isset($clientPassword) ? "value='$clientPassword'" : "") ?> required>
         <br>
 
         <!-- <button class="btn red" type="submit">Login</button> -->
diff --git a/view/registration.php b/view/registration.php
index 814436c..0bc667b 100644
--- a/view/registration.php
+++ b/view/registration.php
@@ -34,7 +34,7 @@
         <em>Passwords must be at least 8 characters and contain at least 1 number, 1 capital letter, and 1 special character</em>
         <br>
 
-        <input type="password" name="clientPassword" id="clientPassword" <?php echo (isset($clientPassword)) ? "value='$clientPassword'" : "" ?>  pattern="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$" required>
+        <input type="password" name="clientPassword" id="clientPassword" <?php echo htmlentities(isset($clientPassword) ? "value='$clientPassword'" : "") ?>  pattern="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$" required>
         <br>
         <!-- <button class=" btn red" type="submit">Register</button> -->
         <input type="submit" class="btn red" name="submit" id="regbtn" value="Register">