From c44dadc4df059017a82984dde46cbb62c68fc334 Mon Sep 17 00:00:00 2001
From: marcin212 <marcin212@protonmail.com>
Date: Thu, 1 Feb 2018 16:23:07 +0100
Subject: [PATCH] Fixed security flaw (XSS)

---
 inc/plugins/ts3func.php | 8 ++++----
 tsonline.php            | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/inc/plugins/ts3func.php b/inc/plugins/ts3func.php
index 92addf0..614f620 100644
--- a/inc/plugins/ts3func.php
+++ b/inc/plugins/ts3func.php
@@ -327,12 +327,12 @@ function ts3func_online()
     		{
     			if($first == false)
     			{
-	    			$uzytkownicy .= ', '.$client['client_nickname'];
+	    			$uzytkownicy .= ', '.htmlspecialchars($client['client_nickname']);
 	    			$first = false;
 	    		}
 	    		else
 	    		{
-	    			$uzytkownicy .= $client['client_nickname'];
+	    			$uzytkownicy .= htmlspecialchars($client['client_nickname']);
 	    			$first = false;
 	    		}
 	    		$ts3func_usersonline_users = $uzytkownicy;
@@ -413,9 +413,9 @@ function ts3func_profile()
 
     		$channelDesc = "";
     		if(!empty($channelInfo['data']['channel_topic']))
-    			$channelDesc = " <span class=\"smalltext\" style=\"color: grey;\">(".$channelInfo['data']['channel_topic'].")</span>";
+    			$channelDesc = " <span class=\"smalltext\" style=\"color: grey;\">(".htmlspecialchars($channelInfo['data']['channel_topic']).")</span>";
     		
-    		$client_channel = "<img src=\"inc/plugins/ts3func/images/".$channelIcon.".png\">".$channelInfo['data']['channel_name'].$channelDesc;
+    		$client_channel = "<img src=\"inc/plugins/ts3func/images/".$channelIcon.".png\">".htmlspecialchars($channelInfo['data']['channel_name']).$channelDesc;
 
     		$client_firstconnect = date('Y-m-d H:i', $profileInfo['data']['client_created']);
     		$client_lastconnect = date('Y-m-d H:i', $profileInfo['data']['client_lastconnected']);
diff --git a/tsonline.php b/tsonline.php
index 0589a04..2c416a0 100644
--- a/tsonline.php
+++ b/tsonline.php
@@ -49,15 +49,15 @@
 
     		$channelDesc = "";
     		if(!empty($channelInfo['channel_topic']))
-    			$channelDesc = " <span class=\"smalltext\" style=\"color: grey;\">(".$channelInfo['channel_topic'].")</span>";
+    			$channelDesc = " <span class=\"smalltext\" style=\"color: grey;\">(".htmlspecialchars($channelInfo['channel_topic']).")</span>";
 
-    		$client_channel = "<img src=\"inc/plugins/ts3func/images/".$channelIcon.".png\">".$channelInfo['channel_name'].$channelDesc;
+    		$client_channel = "<img src=\"inc/plugins/ts3func/images/".$channelIcon.".png\">".htmlspecialchars($channelInfo['channel_name']).$channelDesc;
 
     		$userlist .= '
 
     		<tr>
 				<td class="trow1">
-					<strong><em>'.$info['client_nickname'].'</em></strong></span>
+					<strong><em>'.htmlspecialchars($info['client_nickname']).'</em></strong></span>
 				</td>
 				<td align="center" class="trow1">
 					'.$client_connectiontime.' '.$lang->ts3func_minutes.'