Prevent XSS attacks (#117)

ishaantek · Jul 10, 2023 · 27dad08 · 27dad08
1 parent 5d07894
commit 27dad08
Show file tree

Hide file tree

Showing 16 changed files with 26 additions and 26 deletions.
diff --git a/src/pages/botlist/delete.ejs b/src/pages/botlist/delete.ejs
@@ -16,7 +16,7 @@ create a fourm and post to /bots/:id/deny
     <h2 class="title"><b><i class="fa-solid fa-trash"></i> Delete Bot</b></h2>
     <p>Fill out the reason below in order to delete the bot.</p>
   </center>
-  <form action="/bots/<%- id %>/delete" method="POST">
+  <form action="/bots/<%= id %>/delete" method="POST">
     <div class="form-group required">
       <label for="reason">Reason</label>
       <input type="text" class="form-control" id="reason" name="reason" placeholder="This bot is stupid." autocomplete="off">

diff --git a/src/pages/botlist/edit.ejs b/src/pages/botlist/edit.ejs
@@ -8,7 +8,7 @@
   <script src="//cdn.jsdelivr.net/npm/sweetalert2@10"></script>
   <script src="/multiselect.js"></script>
   <script src="https://cdn.jsdelivr.net/npm/sweetalert2@10/dist/sweetalert2.all.min.js"></script>
-  <title>Editing <%- bot.name %> - Universe List</title>
+  <title>Editing <%= bot.name %> - Universe List</title>
   <%- include("../parts/head.ejs") %>
 </head>
 <%- include("../parts/navbar.ejs") %>

diff --git a/src/pages/botlist/report.ejs b/src/pages/botlist/report.ejs
@@ -13,7 +13,7 @@
     <h2 class="title"><b><i class="fa-solid fa-flag"></i> Report Bot</b></h2>
     <p>Fill out the reason below in order to report the bot.</p>
   </center>
-  <form action="/bots/<%- id %>/report" method="POST">
+  <form action="/bots/<%= id %>/report" method="POST">
     <div class="form-group required">
       <label for="reason">Reason</label>
       <input type="text" class="form-control" id="reason" name="reason" placeholder="This bot includes spam in the description." autocomplete="off">

diff --git a/src/pages/botlist/review.ejs b/src/pages/botlist/review.ejs
@@ -3,7 +3,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Reviewing <%- bot.name %> - Universe List</title>
+  <title>Reviewing <%= bot.name %> - Universe List</title>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.26.0/moment.min.js"></script>
   <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/[email protected]/dist/sweetalert2.min.css'>
   <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/sweetalert2.all.min.js"></script>
@@ -19,7 +19,7 @@
         <h2 style="color:white;margin-top: 175px;"><b>Review <%= bot.name %></b></h2>
   <p style="color:white;font-size: 20">Fill out the form below in order add your review.</p>
           <hr class="my-4"><br><br>
-          <form action="/bots/<%- bot.id %>/review" method="POST">
+          <form action="/bots/<%= bot.id %>/review" method="POST">
             <div class="form-group required">
                 <label for="botID">Your ID</label>
                 <input type="number" class="form-control" value="<%= user.id %>" name="id" placeholder="1026362109287739423" aria-describedby="botIDhelp" autocomplete="off" readonly disabled>

diff --git a/src/pages/botlist/tags.ejs b/src/pages/botlist/tags.ejs
@@ -2,7 +2,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title><%- tag %> Bots - Universe List</title>
+  <title><%= tag %> Bots - Universe List</title>
   <%- include ("../parts/head.ejs") %>
 </head>
 <%- include ("../parts/navbar.ejs") %>

diff --git a/src/pages/botlist/viewbot.ejs b/src/pages/botlist/viewbot.ejs
@@ -13,7 +13,7 @@
   <script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.26.0/sanitize-html.min.js"></script>
   <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/[email protected]/dist/sweetalert2.min.css'>
   <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/sweetalert2.all.min.js"></script>
-  <title><%- bot.name %> - Universe List</title>
+  <title><%= bot.name %> - Universe List</title>
   <%- include("../parts/head.ejs") %>
 </head>
 
@@ -31,7 +31,7 @@
             <% } %>
           </h3>
 
-          <%- bot.shortDesc %><br>
+          <%= bot.shortDesc || "None" %><br>
           <!---
                         <span style="border-radius: 5px;" class="badge badge-primary" style="font-size: 20px;"><i class="fa-solid fa-server"></i> Servers: <%= bot.servers %></span>
                         <span style="border-radius: 5px;" class="badge badge-danger" style="font-size: 20px;"><i class="fa-solid fa-check-to-slot"></i> Votes: <%= bot.votes %></span>
@@ -80,7 +80,7 @@
     <hr>
     </hr>
     <p style="color: white; font-size: 16px;margin-left: 15px;"><i class="fa-solid fa-terminal"></i> Prefix: <code style="padding: 3px 8px; font-weight: bold;"><%= bot.prefix %></code></p>
-    <p style="color: white; font-size: 16px;margin-left: 15px;"><i class="fa-solid fa-crown"></i> Owner:&nbsp;&nbsp;<strong><a style="color: white;" href="/users/<%- bot.owner %>"><%= bot.ownerTag %></a></strong></p>
+    <p style="color: white; font-size: 16px;margin-left: 15px;"><i class="fa-solid fa-crown"></i> Owner:&nbsp;&nbsp;<strong><a style="color: white;" href="/users/<%= bot.owner %>"><%= bot.ownerTag %></a></strong></p>
     <!-- <% if (bot.presence && bot.presence.status === "online") { %>
     <p style="color: white; font-size: 16px;"><i class="fa-solid fa-signal %>"></i> Status: <strong>🟢Online</strong></p>
   <% } else if (bot && bot.presence && bot.presence.status === "idle") { %>

diff --git a/src/pages/botlist/vote.ejs b/src/pages/botlist/vote.ejs
@@ -3,7 +3,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Vote for <%- bot.name %> - Universe List</title>
+  <title>Vote for <%= bot.name %> - Universe List</title>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.26.0/moment.min.js"></script>
   <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/[email protected]/dist/sweetalert2.min.css'>
   <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/sweetalert2.all.min.js"></script>
@@ -36,7 +36,7 @@
           </div>
 
           <hr class="my-4">
-          <form action="/bots/<%- bot.id %>/vote" method="POST">
+          <form action="/bots/<%= bot.id %>/vote" method="POST">
             <button type="submit" style="border-radius: 7px;background-color: #480ddd;" class="btn btn-primary btn-lg btn-block" id="upvote">Click to vote</button>
           </form>
         </div>

diff --git a/src/pages/edituser.ejs b/src/pages/edituser.ejs
@@ -8,7 +8,7 @@
     <script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.26.0/sanitize-html.min.js"></script>
     <script src="//cdn.jsdelivr.net/npm/sweetalert2@10"></script>
     <script src="https://cdn.jsdelivr.net/npm/sweetalert2@10/dist/sweetalert2.all.min.js"></script>
-    <title>Editing <%- fetched_user.username %> - Universe List</title>
+    <title>Editing <%= fetched_user.username %> - Universe List</title>
     <%- include("./parts/head.ejs") %>
   </head>
   <%- include("./parts/navbar.ejs") %>

diff --git a/src/pages/queue/approve.ejs b/src/pages/queue/approve.ejs
@@ -17,7 +17,7 @@ create a fourm and post to /bots/:id/deny
     <h2 class="title"><b><i class="fa-solid fa-square-check"></i> Approve Bot</b></h2>
     <p>Are you sure you would like to approve this bot?</p>
     <br>
-    <form action="/bots/<%- id %>/status" method="POST">
+    <form action="/bots/<%= id %>/status" method="POST">
       <button type="submit" class="bluebtn"><i class="fa-solid fa-square-check"></i>&nbsp&nbspApprove</button>
     </form>
     <a href="/queue">

diff --git a/src/pages/queue/deny.ejs b/src/pages/queue/deny.ejs
@@ -17,7 +17,7 @@ create a fourm and post to /bots/:id/deny
     <h2 class="title"><b><i class="fa-solid fa-trash"></i> Deny Bot</b></h2>
     <p>Fill out the reason below in order to deny the bot.</p>
   </center>
-  <form action="/bots/<%- id %>/deny" method="POST">
+  <form action="/bots/<%= id %>/deny" method="POST">
     <div class="form-group required">
       <label for="reason">Reason</label>
       <input type="text" class="form-control" id="reason" name="reason" placeholder="This bot does not work." autocomplete="off">

diff --git a/src/pages/queue/index.ejs b/src/pages/queue/index.ejs
@@ -82,7 +82,7 @@
             <a href="/bots/<%= inprogress[i].id %>/deny" class="btn btn-danger" style="border-radius: 5px;">Deny</a>
           </td>
           <td>
-            <%- inprogress[i].reviewer %>
+            <%= inprogress[i].reviewer %>
           </td>
           <% } %>
       </table>

diff --git a/src/pages/servers/editserver.ejs b/src/pages/servers/editserver.ejs
@@ -7,7 +7,7 @@
   <script src="https://cdnjs.cloudflare.com/ajax/libs/marked/1.1.0/marked.min.js"></script>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.26.0/sanitize-html.min.js"></script>
   <script src="/multiselect.js"></script>
-  <title>Editing <%- server.name %> - Universe List</title>
+  <title>Editing <%= server.name %> - Universe List</title>
   <%- include("../parts/head.ejs") %>
 </head>
 <%- include("../parts/navbar.ejs") %>

diff --git a/src/pages/servers/tags.ejs b/src/pages/servers/tags.ejs
@@ -3,7 +3,7 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title><%- tag %> Servers - Universe Servers</title>
+    <title><%= tag %> Servers - Universe Servers</title>
     <%- include ("../parts/head.ejs") %>
   </head>
   <%- include ("../parts/navbar.ejs") %>

diff --git a/src/pages/servers/viewserver.ejs b/src/pages/servers/viewserver.ejs
@@ -7,7 +7,7 @@
   <meta name="keywords" content="Universe List,botlist,discord,%- server.name %>,discordbots,discordservers">
   <script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.26.0/sanitize-html.min.js"></script>
   <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/sweetalert2.all.min.js"></script>
-  <title><%- server.name %> - Universe List</title>
+  <title><%= server.name %> - Universe List</title>
   <%- include("../parts/head.ejs") %>
 </head>
 
@@ -24,7 +24,7 @@
         </div>
         <div class="col-sm">
           <h3><%= server.name %></h3>
-          <%- server.shortDesc %><br>
+          <%= server.shortDesc %><br>
           <!--
                         <span style="border-radius: 5px;" class="badge badge-primary" style="font-size: 20px;"><i class="fa-solid fa-bomb"></i> Bumps: <%= server.bumps %></span>
                         <span style="border-radius: 5px;" class="badge badge-danger" style="font-size: 20px;"><i class="fa-solid fa-check-to-slot"></i> Votes: <%= server.votes %></span>
@@ -54,7 +54,7 @@
       <p style="color: white; font-size: 16px;"><i class="fa-solid fa-user-group"></i> Members: <strong><%= server.memberCount %></strong></p>
       <p style="color: white; font-size: 16px;"><i class="fa-solid fa-face-smile"></i> Emojis: <strong><%= server.emojis %></strong></p>
       <p style="color: white; font-size: 16px;"><i class="fa-solid fa-gem"></i> Boosts: <strong><%= server.boosts %></strong></p>
-      <p style="color: white; font-size: 16px;"><i class="fa-solid fa-crown"></i> Owner:&nbsp;&nbsp;<strong><a style="color: white;" href="/users/<%- server.owner %>"><%= server.ownerTag %></a></strong></p>
+      <p style="color: white; font-size: 16px;"><i class="fa-solid fa-crown"></i> Owner:&nbsp;&nbsp;<strong><a style="color: white;" href="/users/<%= server.owner %>"><%= server.ownerTag %></a></strong></p>
       <p style="color: white; font-size: 16px;"><i class="fa-solid fa-hashtag"></i> Tags: <strong><%= server.tags %></strong></p><br>
       <h2><i class="fa-solid fa-chart-simple"></i> Statistics</h2>
       <hr>

diff --git a/src/pages/servers/vote.ejs b/src/pages/servers/vote.ejs
@@ -4,7 +4,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Vote for <%- server.name %> - Universe List</title>
+  <title>Vote for <%= server.name %> - Universe List</title>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.26.0/moment.min.js"></script>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/moment-duration-format/2.3.2/moment-duration-format.min.js"></script>
   <%- include("../parts/head.ejs") %>
@@ -31,7 +31,7 @@
           </div>
 
           <hr class="my-4">
-          <form action="/servers/<%- server.id %>/vote" method="POST">
+          <form action="/servers/<%= server.id %>/vote" method="POST">
             <button type="submit" style="border-radius: 7px;background-color: #480ddd;" class="btn btn-primary btn-lg btn-block" id="upvote">Click to vote</button>
           </form>
         </div>

diff --git a/src/pages/user.ejs b/src/pages/user.ejs
@@ -2,7 +2,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title><%- fetched_user.username %> - Universe List</title>
+  <title><%= fetched_user.username %> - Universe List</title>
   <meta property="og:author" content="universe-list.xyz">
   <meta property="og:title" content="<%= fetched_user.username %>">
   <meta property="og:url" content="https://universe-list.xyz">
@@ -34,7 +34,7 @@
               <i class="fa fa-vial" style="color:#2ecc71; bottom: -5px; font-size: 20px;" title="Universe List Beta Tester"></i>
                <% } %>
             <br>
-        <%- fetched_user.bio %>
+        <%= fetched_user.bio %>
         <hr>
         </hr>
         <% if (user) { %>
@@ -83,7 +83,7 @@
   <!--
         <% if (bots.length < 1) { %>
             <br><br>
-            <p style="background-color: black; background-size: 150px;">Looks like <%- fetched_user.tag %> doesn't have any bots....</p>
+            <p style="background-color: black; background-size: 150px;">Looks like <%= fetched_user.tag %> doesn't have any bots....</p>
             <% } %>
             -->
   <br><br><br><br>
@@ -116,7 +116,7 @@
   <!--
   <% if (servers.length < 1) { %>
     <br><br>
-    <p>Looks like <%- fetched_user.tag %> doesn't have any servers....</p>
+    <p>Looks like <%= fetched_user.tag %> doesn't have any servers....</p>
     <% } %>
     -->
 </div>