From 0cea69daed2c9f8ce2ca370e71c970521c97c420 Mon Sep 17 00:00:00 2001
From: Echo <github@3kh0.net>
Date: Wed, 2 Jul 2025 19:37:03 -0400
Subject: [PATCH] escape more things

---
 .../controllers/currently_hacking_controller.js       | 11 ++++++++++-
 app/views/admin/admin_api_keys/index.html.erb         |  4 ++--
 app/views/admin/timeline/show.html.erb                |  6 +++---
 app/views/my/mailing_addresses/show.html.erb          | 10 +++++-----
 .../_filterable_dashboard_content.html.erb            |  2 +-
 app/views/static_pages/_project_durations.html.erb    |  6 +++---
 app/views/static_pages/index.html.erb                 |  8 ++++----
 app/views/users/edit.html.erb                         |  2 +-
 8 files changed, 29 insertions(+), 20 deletions(-)

diff --git a/app/javascript/controllers/currently_hacking_controller.js b/app/javascript/controllers/currently_hacking_controller.js
index e771a03..f6e76cf 100644
--- a/app/javascript/controllers/currently_hacking_controller.js
+++ b/app/javascript/controllers/currently_hacking_controller.js
@@ -186,12 +186,21 @@ export default class extends Controller {
     const v = p.repo_url ? 
       p.repo_url.replace(/^https:\/\/github\.com\//, 'https://tkww0gcc0gkwwo4gc8kgs0sw.a.selfhosted.hackclub.com/') : ''
     
+    const out = this.esc(p.name)
+    
     return `
       <div class="text-sm italic text-muted ml-2">
         working on 
-        ${p.repo_url ? `<a href="${p.repo_url}" target="_blank" class="text-accent hover:text-cyan-400 transition-colors">${p.name}</a>` : p.name}
+        ${p.repo_url ? `<a href="${p.repo_url}" target="_blank" class="text-accent hover:text-cyan-400 transition-colors">${out}</a>` : out}
         ${v ? `<a href="${v}" target="_blank" class="ml-1">🌌</a>` : ''}
       </div>
     `
   }
+  
+  esc(str) {
+    if (str === null || str === undefined) return '';
+    return str.toString().replace(/[&<>"']/g, function (match) {
+      return { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[match];
+    });
+  }
 }
diff --git a/app/views/admin/admin_api_keys/index.html.erb b/app/views/admin/admin_api_keys/index.html.erb
index b2f2814..3998e8e 100644
--- a/app/views/admin/admin_api_keys/index.html.erb
+++ b/app/views/admin/admin_api_keys/index.html.erb
@@ -30,7 +30,7 @@
             <tr class="hover:bg-darkless">
               <td class="px-6 py-4 whitespace-nowrap">
                 <div class="text-sm font-medium text-white">
-                  <%= api_key.name %>
+                  <%= h(api_key.name) %>
                 </div>
               </td>
               <td class="px-6 py-4 whitespace-nowrap">
@@ -39,7 +39,7 @@
                     <img class="h-6 w-6 rounded-full mr-2" src="<%= api_key.user.avatar_url %>" alt="">
                   <% end %>
                   <div>
-                    <div class="text-sm text-white"><%= api_key.user.display_name %></div>
+                    <div class="text-sm text-white"><%= h(api_key.user.display_name) %></div>
                     <div class="text-xs text-gray-400">ID: <%= api_key.user.id %></div>
                   </div>
                 </div>
diff --git a/app/views/admin/timeline/show.html.erb b/app/views/admin/timeline/show.html.erb
index 4a5127d..3c6d25f 100644
--- a/app/views/admin/timeline/show.html.erb
+++ b/app/views/admin/timeline/show.html.erb
@@ -167,7 +167,7 @@
           <div class="absolute top-0 p-3 rounded-lg shadow-lg <%= trust_level_bg %>"
                data-user-id="<%= user.id %>"
                style="left: <%= column_left + 2 %>px; width: <%= min_column_width_px - 4 %>px;"
-               title="User ID: <%= user.id %> - <%= user.respond_to?(:username) && user.username.present? ? user.username : user.email_addresses.first&.email %> | Total Coded: <%= total_coded_time_seconds && total_coded_time_seconds > 0 ? short_time_detailed(total_coded_time_seconds) : '0m' %> | TZ: <%= user.timezone %>">
+               title="User ID: <%= user.id %> - <%= user.respond_to?(:username) && user.username.present? ? h(user.username) : h(user.email_addresses.first&.email) %> | Total Coded: <%= total_coded_time_seconds && total_coded_time_seconds > 0 ? short_time_detailed(total_coded_time_seconds) : '0m' %> | TZ: <%= h(user.timezone) %>">
             <div class="flex items-center space-x-1 mb-1">
               <%= render "shared/user_mention", user: user %>
             </div>
@@ -291,9 +291,9 @@
                     <% if project_detail[:repo_url].present? %>
                       <a href="<%= project_detail[:repo_url] %>" target="_blank" rel="noopener noreferrer" 
                          class="text-white hover:text-gray-200 underline" 
-                         title="Open <%= project_detail[:name] %> on GitHub"><%= project_detail[:name].truncate(20) %></a>
+                         title="Open <%= h(project_detail[:name]) %> on GitHub"><%= h(project_detail[:name]).truncate(20) %></a>
                     <% else %>
-                      <span title="<%= project_detail[:name] %> - No GitHub Repo Mapped"><%= project_detail[:name].truncate(20) %> 🚫</span>
+                      <span title="<%= h(project_detail[:name]) %> - No GitHub Repo Mapped"><%= h(project_detail[:name]).truncate(20) %> 🚫</span>
                     <% end %>
                     <% if p_idx < props[:projects_to_display].length - 1 && props[:height_px] > 20 %>
                       <%= " / " %>
diff --git a/app/views/my/mailing_addresses/show.html.erb b/app/views/my/mailing_addresses/show.html.erb
index d6e01a9..19acb87 100644
--- a/app/views/my/mailing_addresses/show.html.erb
+++ b/app/views/my/mailing_addresses/show.html.erb
@@ -23,16 +23,16 @@
         <div class="bg-darkless rounded-lg p-6 border-l-4 border-primary">
           <div class="space-y-2 text-lg">
             <p class="font-semibold text-white">
-              <%= @user.mailing_address.first_name %> <%= @user.mailing_address.last_name %>
+              <%= h(@user.mailing_address.first_name) %> <%= h(@user.mailing_address.last_name) %>
             </p>
-            <p class="text-secondary"><%= @user.mailing_address.line_1 %></p>
+            <p class="text-secondary"><%= h(@user.mailing_address.line_1) %></p>
             <% if @user.mailing_address.line_2.present? %>
-              <p class="text-secondary"><%= @user.mailing_address.line_2 %></p>
+              <p class="text-secondary"><%= h(@user.mailing_address.line_2) %></p>
             <% end %>
             <p class="text-secondary">
-              <%= @user.mailing_address.city %>, <%= @user.mailing_address.state %> <%= @user.mailing_address.zip_code %>
+              <%= h(@user.mailing_address.city) %>, <%= h(@user.mailing_address.state) %> <%= h(@user.mailing_address.zip_code) %>
             </p>
-            <p class="text-secondary font-semibold"><%= @user.mailing_address.country %></p>
+            <p class="text-secondary font-semibold"><%= h(@user.mailing_address.country) %></p>
           </div>
         </div>
       </section>
diff --git a/app/views/static_pages/_filterable_dashboard_content.html.erb b/app/views/static_pages/_filterable_dashboard_content.html.erb
index 84ddfc9..c549de5 100644
--- a/app/views/static_pages/_filterable_dashboard_content.html.erb
+++ b/app/views/static_pages/_filterable_dashboard_content.html.erb
@@ -86,7 +86,7 @@
         
         <% @project_durations.each do |project, duration| %>
           <div class="bar-row">
-            <div class="bar-label"><%= (project.presence || "Unknown") %></div>
+            <div class="bar-label"><%= h(project.presence || "Unknown") %></div>
             <div class="bar-container">
               <div class="bar" style="width: <%= log_scale(duration, max_duration) %>%">
                 <span class="bar-value"><%= ApplicationController.helpers.short_time_simple(duration) %></span>
diff --git a/app/views/static_pages/_project_durations.html.erb b/app/views/static_pages/_project_durations.html.erb
index 1825e69..e5b4005 100644
--- a/app/views/static_pages/_project_durations.html.erb
+++ b/app/views/static_pages/_project_durations.html.erb
@@ -7,8 +7,8 @@
       <div class="bg-dark border border-primary rounded-xl p-6 shadow-lg transition-all duration-300 flex flex-col gap-4 hover:border-primary/40 hover:-translate-y-1 hover:shadow-xl backdrop-blur-sm">
         <div class="flex justify-between items-start gap-3">
           <div class="flex flex-col gap-2 flex-1 min-w-0">
-            <h3 class="text-lg font-semibold text-white truncate" title="<%= project[:project] %>">
-              <%= (project[:project].presence || "Unknown") %>
+            <h3 class="text-lg font-semibold text-white truncate" title="<%= h(project[:project]) %>">
+              <%= h(project[:project].presence || "Unknown") %>
             </h3>
             <% if project[:repository]&.stars.present? %>
               <div class="flex items-center gap-1 text-sm text-yellow-400">
@@ -59,7 +59,7 @@
 
         <% if project[:repository]&.description.present? %>
           <div class="text-sm text-white/70 leading-relaxed line-clamp-2">
-            <%= project[:repository].description %>
+            <%= h(project[:repository].description) %>
           </div>
         <% end %>
 
diff --git a/app/views/static_pages/index.html.erb b/app/views/static_pages/index.html.erb
index b2c384e..81df44f 100644
--- a/app/views/static_pages/index.html.erb
+++ b/app/views/static_pages/index.html.erb
@@ -68,10 +68,10 @@
               <% @ssp_users_recent.each_with_index do |user, index| %>
                 <div class="relative cursor-pointer transition-transform duration-200 hover:-translate-y-1 hover:z-10 group <%= index > 0 ? '-ml-4' : '' %>">
                   <div class="absolute -top-9 left-1/2 transform -translate-x-1/2 bg-gray-800 text-white px-2 py-1 rounded text-xs whitespace-nowrap opacity-0 invisible group-hover:opacity-100 group-hover:visible transition-all duration-200 z-20">
-                    <%= user[:display_name] %>
+                    <%= h(user[:display_name]) %>
                     <div class="absolute top-full left-1/2 -ml-1 border-l-2 border-r-2 border-t-2 border-transparent border-t-gray-800"></div>
                   </div>
-                  <img src="<%= user[:avatar_url] %>" alt="<%= user[:display_name] %>" class="w-10 h-10 rounded-full border-2 border-primary object-cover shadow-sm" />
+                  <img src="<%= user[:avatar_url] %>" alt="<%= h(user[:display_name]) %>" class="w-10 h-10 rounded-full border-2 border-primary object-cover shadow-sm" />
                 </div>
               <% end %>
               <% if @ssp_users_size && @ssp_users_size > 5 %>
@@ -82,8 +82,8 @@
                     <div class="flex flex-col gap-2">
                       <% @ssp_users_recent.each do |user| %>
                         <div class="flex items-center p-1 rounded hover:bg-gray-700 transition-colors duration-200">
-                          <img src="<%= user[:avatar_url] %>" alt="<%= user[:display_name] %>" class="w-8 h-8 rounded-full mr-2 border border-primary" />
-                          <span class="font-medium text-sm"><%= user[:display_name] %></span>
+                          <img src="<%= user[:avatar_url] %>" alt="<%= h(user[:display_name]) %>" class="w-8 h-8 rounded-full mr-2 border border-primary" />
+                          <span class="font-medium text-sm"><%= h(user[:display_name]) %></span>
                         </div>
                       <% end %>
                     </div>
diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
index 706c491..74c82e7 100644
--- a/app/views/users/edit.html.erb
+++ b/app/views/users/edit.html.erb
@@ -246,7 +246,7 @@
               <select name="project" id="project-select" onchange="up2(this.value)"
                       class="w-full px-3 py-2 bg-gray-800 border border-gray-600 rounded text-white focus:border-primary focus:ring-1 focus:ring-primary">
                 <% @projects.each do |project| %>
-                  <option value="<%= project %>"><%= project %></option>
+                  <option value="<%= h(project) %>"><%= h(project) %></option>
                 <% end %>
               </select>
               <div class="mt-3 p-4 bg-gray-800 border border-gray-600 rounded">