From 6b4f0434d173a6aba9512841613f94406edbc04f Mon Sep 17 00:00:00 2001
From: IceHax <vecchiotom1@gmail.com>
Date: Fri, 9 Mar 2018 22:29:11 +0100
Subject: [PATCH] fixed an xss vulnerability, where people could use html in
 their name to make it execute on everyone's scoreboard.

---
 resources/[system]/scoreboard/scoreboard.lua | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/resources/[system]/scoreboard/scoreboard.lua b/resources/[system]/scoreboard/scoreboard.lua
index 88685d7..bbed5e7 100644
--- a/resources/[system]/scoreboard/scoreboard.lua
+++ b/resources/[system]/scoreboard/scoreboard.lua
@@ -13,7 +13,7 @@ Citizen.CreateThread(function()
                     local wantedLevel = GetPlayerWantedLevel(i)
                     r, g, b = GetPlayerRgbColour(i)
                     table.insert(players, 
-                    '<tr style=\"color: rgb(' .. r .. ', ' .. g .. ', ' .. b .. ')\"><td>' .. GetPlayerServerId(i) .. '</td><td>' .. GetPlayerName(i) .. '</td><td>' .. (wantedLevel and wantedLevel or tostring(0)) .. '</td></tr>'
+                    '<tr style=\"color: rgb(' .. r .. ', ' .. g .. ', ' .. b .. ')\"><td>' .. GetPlayerServerId(i) .. '</td><td>' .. sanitize(GetPlayerName(i)) .. '</td><td>' .. (wantedLevel and wantedLevel or tostring(0)) .. '</td></tr>'
                     )
                 end
                 
@@ -45,4 +45,16 @@ function GetPlayers()
     end
 
     return players
-end
\ No newline at end of file
+end
+
+function sanitize(txt)
+    local replacements = {
+        ['&' ] = '&amp;', 
+        ['<' ] = '&lt;', 
+        ['>' ] = '&gt;', 
+        ['\n'] = '<br/>'
+    }
+    return txt
+        :gsub('[&<>\n]', replacements)
+        :gsub(' +', function(s) return ' '..('&nbsp;'):rep(#s-1) end)
+end