From 420fd558c6906dd96b8e0d2866146cb755cf12b9 Mon Sep 17 00:00:00 2001
From: Alexander <alexlehm@cosmic.voyage>
Date: Tue, 16 May 2023 18:03:45 +0000
Subject: [PATCH] fix XSS in webchatlink variable (#63)

webchatlink variable comes from the json file and was echoed unencoded

Reviewed-on: https://tildegit.org/tildeverse/tilde.chat/pulls/63
Co-authored-by: Alexander <alexlehm@cosmic.voyage>
Co-committed-by: Alexander <alexlehm@cosmic.voyage>
---
 stats/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stats/index.php b/stats/index.php
index 85671da..b50c343 100644
--- a/stats/index.php
+++ b/stats/index.php
@@ -37,7 +37,7 @@ include __DIR__."/../header.php";
 			<tbody data-link="row" class="rowlink">
 				<?php foreach($stats->channels as $channel): ?>
 					<tr>
-						<td><a href="<?=$channel->webchatlink?>"><?=htmlspecialchars($channel->name)?></a></td>
+						<td><a href="<?=htmlspecialchars($channel->webchatlink)?>"><?=htmlspecialchars($channel->name)?></a></td>
 						<td><?=htmlspecialchars($channel->usercount)?></td>
 						<td style="word-wrap: break-word; white-space: pre-wrap; max-width:700px"><?=htmlspecialchars($channel->topic)?></td>
 					</tr>