From ad2d5dd284dc733a5fbd2a9f60c30fa1b7a0da73 Mon Sep 17 00:00:00 2001
From: Marvin Borner
Date: Sat, 10 Oct 2020 11:37:35 +0200
Subject: Fixed HTML injection and middlename spaces

---
 poll/public/script.js   | 15 +--------------
 quotes/index.js         |  2 +-
 quotes/public/script.js |  4 ++--
 3 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/poll/public/script.js b/poll/public/script.js
index bfb686d..a1911fa 100644
--- a/poll/public/script.js
+++ b/poll/public/script.js
@@ -8,26 +8,13 @@ function appendOption(response) {
     response.forEach((elem) => {
         dropdown.insertAdjacentHTML(
             "beforeend",
-            `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] : " "}${
+            `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] + " " : ""}${
                 elem["surname"]
             }</option>`,
         );
     });
 }
 
-function appendQuote(response) {
-    response.forEach((elem) => {
-        document
-            .getElementById(elem["class"])
-            .insertAdjacentHTML(
-                "beforeend",
-                `<li>${elem["name"]} ${elem["middlename"] ? elem["middlename"] : " "}${elem["surname"]}: ${
-                    elem["quote"]
-                }</li>`,
-            );
-    });
-}
-
 fetch("/auth/api/list")
     .then((response) => response.json())
     .then((response) => appendOption(response));
diff --git a/quotes/index.js b/quotes/index.js
index 5aa0646..0e0717b 100644
--- a/quotes/index.js
+++ b/quotes/index.js
@@ -11,7 +11,7 @@ app.post("/api/add", checkUser, async (req, res) => {
         await db.query("INSERT INTO quotes (user_id, author_id, quote) VALUE (?,?,?)", [
             req.session.uid,
             parseInt(req.body.author),
-            req.body.quote,
+            req.body.quote.replace(/</g, "&lt;").replace(/>/g, "&gt;"),
         ]);
         res.redirect("/quotes");
     } catch (e) {
diff --git a/quotes/public/script.js b/quotes/public/script.js
index f8486f9..d848814 100644
--- a/quotes/public/script.js
+++ b/quotes/public/script.js
@@ -11,7 +11,7 @@ function appendOption(response) {
             (response[i - 1 < 0 ? 0 : i - 1]["class_id"] !== elem["class_id"]
                 ? `<option disabled>--${classes[elem["class_id"] - 1]}--</option>`
                 : "") +
-                `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] : " "}${
+                `<option value="${elem["id"]}">${elem["name"]} ${elem["middlename"] ? elem["middlename"] + " " : ""}${
                     elem["surname"]
                 }</option>`,
         );
@@ -24,7 +24,7 @@ function appendQuote(response) {
             .getElementById(elem["class"])
             .insertAdjacentHTML(
                 "beforeend",
-                `<li>${elem["name"]} ${elem["middlename"] ? elem["middlename"] : ""}${elem["surname"]}: ${
+                `<li>${elem["name"]} ${elem["middlename"] ? elem["middlename"] + " " : ""}${elem["surname"]}: ${
                     elem["quote"]
                 }${elem["owner"] ? ' <span data-id="' + elem["id"] + '">[x]</span></li>' : ""}`,
             );
-- 
cgit v1.2.3