From a31d5ae7b163a076275b6f3c82bfd07608ad214a Mon Sep 17 00:00:00 2001
From: Philipp <admin@philipp.info>
Date: Wed, 11 Jan 2023 23:09:40 +0100
Subject: [PATCH] Security: Use htmlspecialchars() for user input in Arguments
 class

---
 src/App/Page.php                | 7 +++++++
 view/theme/frio/php/default.php | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/App/Page.php b/src/App/Page.php
index 37141426c3..6317214b4f 100644
--- a/src/App/Page.php
+++ b/src/App/Page.php
@@ -73,6 +73,8 @@ class Page implements ArrayAccess
 		'right_aside' => '',
 		'template'    => '',
 		'title'       => '',
+		'section'     => '',
+		'module'      => '',
 	];
 	/**
 	 * @var string The basepath of the page
@@ -509,6 +511,11 @@ class Page implements ArrayAccess
 
 		$page    = $this->page;
 
+		// add and escape some common but crucial content for direct "echo" in HTML (security)
+		$page['title']   = htmlspecialchars($page['title'] ?? '');
+		$page['section'] = htmlspecialchars($args->get(0) ?? 'generic');
+		$page['module']  = htmlspecialchars($args->getModuleName() ?? '');
+
 		header("X-Friendica-Version: " . App::VERSION);
 		header("Content-type: text/html; charset=utf-8");
 
diff --git a/view/theme/frio/php/default.php b/view/theme/frio/php/default.php
index d0580373e0..0c6dd3934f 100644
--- a/view/theme/frio/php/default.php
+++ b/view/theme/frio/php/default.php
@@ -77,7 +77,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
 ?>
 	</head>
 
-	<body id="top" class="mod-<?php echo DI::args()->getModuleName() . " " . $is_singleuser_class . " " . $view_mode_class;?>">
+	<body id="top" class="mod-<?php echo $page['module'] . " " . $is_singleuser_class . " " . $view_mode_class;?>">
 		<a href="#content" class="sr-only sr-only-focusable"><?php echo DI::l10n()->t('Skip to main content'); ?></a>
 <?php
 	if (!empty($page['nav']) && !$minimal) {
@@ -125,7 +125,7 @@ $is_singleuser_class = $is_singleuser ? "is-singleuser" : "is-not-singleuser";
 
 					<div class="col-lg-7 col-md-7 col-sm-12 col-xs-12" id="content">
 						<section class="sectiontop ';
-							echo DI::args()->get(0, 'generic');
+							echo $page['section'] ?? '';
 							echo '-content-wrapper">';
 							if (!empty($page['content'])) {
 								echo $page['content'];