From ceb737fc409d473b8d7aca83a10b900d04254898 Mon Sep 17 00:00:00 2001
From: themohooks <81331307+themohooks@users.noreply.github.com>
Date: Wed, 17 Jul 2024 01:37:42 +0300
Subject: [PATCH] fix xss

---
 static/js/newcore.js  | 5 ++---
 views/pages/Photo.php | 6 +++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/static/js/newcore.js b/static/js/newcore.js
index 30bbed6..b663545 100644
--- a/static/js/newcore.js
+++ b/static/js/newcore.js
@@ -99,8 +99,7 @@
 
 
 function errimg() {
-    // Create the HTML content
-    const content = <center>
+    const content = `<center>
                         <div class="p20 s5" style="border:none; margin:0 -20px; display:none;">
                             <b>Фото потеряно при крахе винчестера</b>
                             <div class="sm" style="margin-top:5px">
@@ -108,7 +107,7 @@ function errimg() {
                                 <a href="mailto:admin@transphoto.org?subject=Для восстановления фото 651731">admin@transphoto.org</a>
                             </div>
                         </div>
-                    </center>;
+                    </center>`;
     $('#err').html(content);
     $('#err .p20').slideDown(500);
 }
diff --git a/views/pages/Photo.php b/views/pages/Photo.php
index 8410564..07b155a 100644
--- a/views/pages/Photo.php
+++ b/views/pages/Photo.php
@@ -127,8 +127,8 @@ if ($photo->i('id') !== null) {
                 <table class="pwrite">
                     <tr>
                     <?php
-                    if ($photo->i('place') != null) { ?>
-                        <td class="nw" valign="top" align="right"><b><?= $photo->i('postbody') ?></b></td>
+                    if ($photo->i('postbody') != null) { ?>
+                        <td class="nw" valign="top" align="right"><b><?= htmlspecialchars($photo->i('postbody')) ?></b></td>
                         <?php } ?>
                         <td class="nw" align="left" valign="top"></td>
                     </tr>
@@ -139,7 +139,7 @@ if ($photo->i('id') !== null) {
         <div>
             <?php
             if ($photo->content('comment') != null) { ?>
-            <div style="padding-top:8px"><?= $photo->content('comment') ?></div>
+            <div style="padding-top:8px"><?= htmlspecialchars($photo->content('comment')) ?></div>
             <?php } ?>
         </div><br>
         <?php