MyBB 1.8.15

admin/modules/config/attachment_types.php

@@ -718,6 +718,8 @@
 			$icon = "off.png\" alt=\"({$lang->alt_disabled})\" title=\"{$lang->alt_disabled}";
 		}
 
+		$attachment_type['extension'] = htmlspecialchars_uni($attachment_type['extension']);
+
 		$table->construct_cell($attachment_type['icon'], array("width" => 1));
 		$table->construct_cell("<strong>.{$attachment_type['extension']}</strong>");
 		$table->construct_cell(htmlspecialchars_uni($attachment_type['mimetype']));

admin/modules/config/settings.php

@@ -1517,7 +1517,7 @@
 			{
 				$setting['description'] = $lang->$desc_lang;
 			}
-			$form_container->output_row(htmlspecialchars_uni($setting['title']), $setting['description'], $setting_code, '', array(), array('id' => 'row_'.$element_id));
+			$form_container->output_row(htmlspecialchars_uni($setting['title']), htmlspecialchars_uni($setting['description']), $setting_code, '', array(), array('id' => 'row_'.$element_id));
 		}
 		$form_container->end();
 

admin/modules/config/warning.php

@@ -744,7 +744,7 @@ function checkAction(id)
 	while($type = $db->fetch_array($query))
 	{
 		$type['name'] = htmlspecialchars_uni($type['title']);
-		$table->construct_cell("<a href=\"index.php?module=config-warning&amp;action=edit_type&amp;tid={$type['tid']}\"><strong>{$type['title']}</strong></a>");
+		$table->construct_cell("<a href=\"index.php?module=config-warning&amp;action=edit_type&amp;tid={$type['tid']}\"><strong>{$type['name']}</strong></a>");
 		$table->construct_cell("{$type['points']}", array("class" => "align_center"));
 		$expiration = fetch_friendly_expiration($type['expirationtime']);
 		$lang_str = "expiration_".$expiration['period'];

admin/modules/style/templates.php

@@ -102,7 +102,7 @@
 $query = $db->simple_select("templatesets", "*", "", array('order_by' => 'title', 'order_dir' => 'ASC'));
 while($template_set = $db->fetch_array($query))
 {
-	$template_sets[$template_set['sid']] = $template_set['title'];
+	$template_sets[$template_set['sid']] = htmlspecialchars_uni($template_set['title']);
 }
 
 $plugins->run_hooks("admin_style_templates");
@@ -157,7 +157,7 @@
 	$form = new Form("index.php?module=style-templates&action=add_set", "post", "add_set");
 
 	$form_container = new FormContainer($lang->add_set);
-	$form_container->output_row($lang->title, "", $form->generate_text_box('title', $mybb->input['title'], array('id' => 'title')), 'title');
+	$form_container->output_row($lang->title, "", $form->generate_text_box('title', htmlspecialchars_uni($mybb->input['title']), array('id' => 'title')), 'title');
 	$form_container->end();
 
 	$buttons = array();
@@ -1335,7 +1335,7 @@
 	{
 		if(!$done_set[$sid])
 		{
-			$table->construct_header($templatesets[$sid]['title'], array("colspan" => 2));
+			$table->construct_header(htmlspecialchars_uni($templatesets[$sid]['title']), array("colspan" => 2));
 
 			$done_set[$sid] = 1;
 			++$count;
@@ -2004,6 +2004,8 @@ function sort_template_groups($a, $b)
 			$actions = $popup->fetch();
 		}
 
+		$set['title'] = htmlspecialchars_uni($set['title']);
+
 		$table->construct_cell("<strong><a href=\"index.php?module=style-templates&amp;sid={$set['sid']}\">{$set['title']}</a></strong><br /><small>{$used_by_note}</small>");
 		$table->construct_cell($actions, array("class" => "align_center"));
 		$table->construct_row();

admin/modules/tools/tasks.php

@@ -79,7 +79,10 @@ function check_time_values($value, $min, $max, $return_type)
 			$errors[] = $lang->error_missing_description;
 		}
 
-		if(!file_exists(MYBB_ROOT."inc/tasks/".$mybb->input['file'].".php"))
+		$file = $mybb->get_input('file');
+		$file = basename($file, '.php');
+
+		if(!file_exists(MYBB_ROOT."inc/tasks/".$file.".php"))
 		{
 			$errors[] = $lang->error_invalid_task_file;
 		}
@@ -126,7 +129,7 @@ function check_time_values($value, $min, $max, $return_type)
 			$new_task = array(
 				"title" => $db->escape_string($mybb->input['title']),
 				"description" => $db->escape_string($mybb->input['description']),
-				"file" => $db->escape_string($mybb->input['file']),
+				"file" => $db->escape_string($file),
 				"minute" => $db->escape_string($mybb->input['minute']),
 				"hour" => $db->escape_string($mybb->input['hour']),
 				"day" => $db->escape_string($mybb->input['day']),
@@ -271,7 +274,10 @@ function check_time_values($value, $min, $max, $return_type)
 			$errors[] = $lang->error_missing_description;
 		}
 
-		if(!file_exists(MYBB_ROOT."inc/tasks/".$mybb->input['file'].".php"))
+        $file = $mybb->get_input('file');
+        $file = basename($file, '.php');
+
+		if(!file_exists(MYBB_ROOT."inc/tasks/".$file.".php"))
 		{
 			$errors[] = $lang->error_invalid_task_file;
 		}
@@ -326,7 +332,7 @@ function check_time_values($value, $min, $max, $return_type)
 			$updated_task = array(
 				"title" => $db->escape_string($mybb->input['title']),
 				"description" => $db->escape_string($mybb->input['description']),
-				"file" => $db->escape_string($mybb->input['file']),
+				"file" => $db->escape_string($file),
 				"minute" => $db->escape_string($mybb->input['minute']),
 				"hour" => $db->escape_string($mybb->input['hour']),
 				"day" => $db->escape_string($mybb->input['day']),

admin/modules/user/admin_permissions.php

@@ -339,6 +339,9 @@
 			$perm_type = "default";
 		}
 		$uid = -$group['gid'];
+
+		$group['title'] = htmlspecialchars_uni($group['title']);
+
 		$table->construct_cell("<div class=\"float_right\"><img src=\"styles/{$page->style}/images/icons/{$perm_type}.png\" title=\"{$lang->permissions_type_group}\" alt=\"{$perm_type}\" /></div><div><strong><a href=\"index.php?module=user-admin_permissions&amp;action=edit&amp;uid={$uid}\" title=\"{$lang->edit_group}\">{$group['title']}</a></strong><br /></div>");
 
 		if($group['permissions'] != "")
@@ -472,7 +475,7 @@
 			// Primary usergroup?
 			if($usergroups[$admin['usergroup']]['cancp'] == 1)
 			{
-				$usergroup_list[] = "<i>".$usergroups[$admin['usergroup']]['title']."</i>";
+				$usergroup_list[] = "<i>".htmlspecialchars_uni($usergroups[$admin['usergroup']]['title'])."</i>";
 			}
 
 			// Secondary usergroups?
@@ -483,7 +486,7 @@
 				{
 					if($usergroups[$gid]['cancp'] == 1)
 					{
-						$usergroup_list[] = $usergroups[$gid]['title'];
+						$usergroup_list[] = htmlspecialchars_uni($usergroups[$gid]['title']);
 					}
 				}
 			}

admin/modules/user/group_promotions.php

@@ -379,7 +379,7 @@
 	$query = $db->simple_select("usergroups", "gid, title", "gid != '1'", array('order_by' => 'title'));
 	while($usergroup = $db->fetch_array($query))
 	{
-		$options[(int)$usergroup['gid']] = $usergroup['title'];
+		$options[(int)$usergroup['gid']] = htmlspecialchars_uni($usergroup['title']);
 	}
 
 	$form_container->output_row($lang->orig_user_group." <em>*</em>", $lang->orig_user_group_desc, $form->generate_select_box('originalusergroup[]', $options, $mybb->input['originalusergroup'], array('id' => 'originalusergroup', 'multiple' => true, 'size' => 5)), 'originalusergroup');
@@ -603,7 +603,7 @@
 	$query = $db->simple_select("usergroups", "gid, title", "gid != '1'", array('order_by' => 'title'));
 	while($usergroup = $db->fetch_array($query))
 	{
-		$options[(int)$usergroup['gid']] = $usergroup['title'];
+		$options[(int)$usergroup['gid']] = htmlspecialchars_uni($usergroup['title']);
 	}
 
 	$form_container->output_row($lang->orig_user_group." <em>*</em>", $lang->orig_user_group_desc, $form->generate_select_box('originalusergroup[]', $options, $mybb->input['originalusergroup'], array('id' => 'originalusergroup', 'multiple' => true, 'size' => 5)), 'originalusergroup');

forumdisplay.php

@@ -1394,6 +1394,7 @@
 
 			while($tool = $db->fetch_array($query))
 			{
+				$tool['name'] = htmlspecialchars_uni($tool['name']);
 				eval("\$customthreadtools .= \"".$templates->get("forumdisplay_inlinemoderation_custom_tool")."\";");
 			}
 

inc/functions_task.php

@@ -51,8 +51,10 @@ function run_task($tid=0)
 		$db->update_query("tasks", array("locked" => TIME_NOW), "tid='{$task['tid']}'");
 	}
 
+    $file = basename($task['file'], '.php');
+
 	// The task file does not exist
-	if(!file_exists(MYBB_ROOT."inc/tasks/{$task['file']}.php"))
+	if(!file_exists(MYBB_ROOT."inc/tasks/{$file}.php"))
 	{
 		if($task['logging'] == 1)
 		{
@@ -80,8 +82,8 @@ function run_task($tid=0)
 		// Update the nextrun time now, so if the task causes a fatal error, it doesn't get stuck first in the queue
 		$nextrun = fetch_next_run($task);
 		$db->update_query("tasks", array("nextrun" => $nextrun), "tid='{$task['tid']}'");
-
-		include_once MYBB_ROOT."inc/tasks/{$task['file']}.php";
+		
+		include_once MYBB_ROOT."inc/tasks/{$file}.php";
 		$function = "task_{$task['file']}";
 		if(function_exists($function))
 		{

member.php

@@ -1219,6 +1219,9 @@
 			{
 				$question = $db->fetch_array($query);
 
+				$question['question'] = htmlspecialchars_uni($question['question']);
+				$question['sid'] = htmlspecialchars_uni($question['sid']);
+
 				$refresh = '';
 				// Total questions
 				$q = $db->simple_select('questions', 'COUNT(qid) as num', 'active=1');

moderation.php

@@ -3078,6 +3078,8 @@
 				exit;
 			}
 
+			$tool['name'] = htmlspecialchars_uni($tool['name']);
+
 			if($tool['type'] == 't' && $mybb->get_input('modtype') == 'inlinethread')
 			{
 				if($mybb->get_input('inlinetype') == 'search')

search.php

@@ -707,6 +707,7 @@
 
 			while($tool = $db->fetch_array($query))
 			{
+				$tool['name'] = htmlspecialchars_uni($tool['name']);
 				eval("\$customthreadtools .= \"".$templates->get("search_results_threads_inlinemoderation_custom_tool")."\";");
 			}
 			// Build inline moderation dropdown

showthread.php

@@ -1325,6 +1325,7 @@
 
 			while($tool = $db->fetch_array($query))
 			{
+				$tool['name'] = htmlspecialchars_uni($tool['name']);
 				if($tool['type'] == 'p')
 				{
 					eval("\$customposttools .= \"".$templates->get("showthread_inlinemoderation_custom_tool")."\";");