Akkariin/cfx-server-data
1
0
Fork 0
mirror of https://github.com/citizenfx/cfx-server-data.git synced 2025-02-09 06:33:29 +08:00
Code Issues Releases Wiki Activity

Merge pull request #21 from vecchiotom/master

Browse Source 
fixed an xss vulnerability, where people could use html in their name to execute it on everyone's scoreboard.
This commit is contained in:
リーフストーム 2018-03-09 22:33:25 +01:00 committed by GitHub
commit fefd225904
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
resources/[system]/scoreboard/scoreboard.lua
View File

@ -13,7 +13,7 @@ Citizen.CreateThread(function()
local wantedLevel = GetPlayerWantedLevel(i)
r, g, b = GetPlayerRgbColour(i)
table.insert(players,
'<tr style=\"color: rgb(' .. r .. ', ' .. g .. ', ' .. b .. ')\"><td>' .. GetPlayerServerId(i) .. '</td><td>' .. GetPlayerName(i) .. '</td><td>' .. (wantedLevel and wantedLevel or tostring(0)) .. '</td></tr>'
'<tr style=\"color: rgb(' .. r .. ', ' .. g .. ', ' .. b .. ')\"><td>' .. GetPlayerServerId(i) .. '</td><td>' .. sanitize(GetPlayerName(i)) .. '</td><td>' .. (wantedLevel and wantedLevel or tostring(0)) .. '</td></tr>'
)
end
@ -45,4 +45,16 @@ function GetPlayers()
end
return players
end
end
function sanitize(txt)
local replacements = {
['&' ] = '&amp;',
['<' ] = '&lt;',
['>' ] = '&gt;',
['\n'] = '<br/>'
}
return txt
:gsub('[&<>\n]', replacements)
:gsub(' +', function(s) return ' '..('&nbsp;'):rep(#s-1) end)
end