From 56eaf863f2593920161d5588c9ca63fe8e9312ce Mon Sep 17 00:00:00 2001
From: czaks <marcin@6irc.net>
Date: Thu, 27 Mar 2014 13:10:53 +0100
Subject: [PATCH] SECURITY: fix XSS vulnerability

---
 attentionbar.php    | 2 +-
 js/attention-bar.js | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/attentionbar.php b/attentionbar.php
index 18a5d9ac..25f349cb 100644
--- a/attentionbar.php
+++ b/attentionbar.php
@@ -3,7 +3,7 @@
  checkBan();
  $text = isset($_POST['text']) ? $_POST['text'] : '';
  if(strlen($text)>0 && !preg_match('/a href/', $text)) {
-	file_put_contents("attentionbar.txt",$text);
+	file_put_contents("attentionbar.txt",htmlspecialchars($text));
 	 if(strlen($_SERVER['HTTP_REFERER'])>0) { header('Location: ' . $_SERVER['HTTP_REFERER']); }
  	else { header('Location: /'); }
  } else print(file_get_contents("attentionbar.txt"));
diff --git a/js/attention-bar.js b/js/attention-bar.js
index a84cadff..40073081 100644
--- a/js/attention-bar.js
+++ b/js/attention-bar.js
@@ -2,7 +2,7 @@ $(document).ready(function(){
  $("#attention_bar").click(function(eO){ $("#attention_bar").css("display","none");
 	 $("#attention_bar_form").css("display","block"); });
  $.get(configRoot + "attentionbar.txt", function(data) {
-  $("#attention_bar").text(data);
-  $("#attention_bar_input").val(data);
+  $("#attention_bar").html(data);
+  $("#attention_bar_input").val($("#attention_bar").text());
  });
 });