diff --git a/resources/mail/account_deletion_request_admin.php b/resources/mail/account_deletion_request_admin.php index 6d8fde1ad..440324da2 100644 --- a/resources/mail/account_deletion_request_admin.php +++ b/resources/mail/account_deletion_request_admin.php @@ -8,9 +8,9 @@

A user has requested deletion of their account. User details are below:

- Username + Username
- Name + Name
- Email + Email

diff --git a/resources/mail/account_deletion_request_cancelled_admin.php b/resources/mail/account_deletion_request_cancelled_admin.php index 39f105fbe..869c271ef 100644 --- a/resources/mail/account_deletion_request_cancelled_admin.php +++ b/resources/mail/account_deletion_request_cancelled_admin.php @@ -7,9 +7,9 @@

A user has cancelled their request for account deletion. User details are below:

- Username + Username
- Name + Name
- Email + Email

diff --git a/resources/mail/group_disband.php b/resources/mail/group_disband.php index f40129767..fd1c67d4b 100644 --- a/resources/mail/group_disband.php +++ b/resources/mail/group_disband.php @@ -5,7 +5,7 @@

Hello,

-

Your PI group, , has been disbanded on the UnityHPC Platform. +

Your PI group, , has been disbanded on the UnityHPC Platform. Any jobs associated with this PI account have been killed.

If you believe this to be a mistake, please reply to this email

diff --git a/resources/mail/group_join_request_cancelled.php b/resources/mail/group_join_request_cancelled.php index 90119b807..e61b3a618 100644 --- a/resources/mail/group_join_request_cancelled.php +++ b/resources/mail/group_join_request_cancelled.php @@ -1,4 +1,4 @@ Subject = "Unity PI Membership Request Cancelled: '" . $data["uid"] . "'"; ?>

Hello,

-

The user '' has cancelled their request to join your PI group.

+

The user '' has cancelled their request to join your PI group.

diff --git a/resources/mail/group_request_admin.php b/resources/mail/group_request_admin.php index 0dfd82011..41eda93a1 100644 --- a/resources/mail/group_request_admin.php +++ b/resources/mail/group_request_admin.php @@ -8,13 +8,13 @@

A user has requested a PI account. User details are below:

- Username + Username
- Organization + Organization
- Name + Name
- Email + Email

diff --git a/resources/mail/group_request_cancelled.php b/resources/mail/group_request_cancelled.php index 1af2e8bba..324a5f941 100644 --- a/resources/mail/group_request_cancelled.php +++ b/resources/mail/group_request_cancelled.php @@ -1,4 +1,4 @@ Subject = "PI Request Cancelled: '" . $data["uid"] . "'"; ?>

Hello,

-

The user '' has cancelled their request to become a PI.

+

The user '' has cancelled their request to become a PI.

diff --git a/resources/mail/group_user_added.php b/resources/mail/group_user_added.php index 1fb9d6bde..7396206f1 100644 --- a/resources/mail/group_user_added.php +++ b/resources/mail/group_user_added.php @@ -5,7 +5,7 @@

Hello,

-

You have been approved to join the PI group . +

You have been approved to join the PI group . Navigate to the page to see your PI groups.

diff --git a/resources/mail/group_user_added_owner.php b/resources/mail/group_user_added_owner.php index a082f30eb..371b5b9d7 100644 --- a/resources/mail/group_user_added_owner.php +++ b/resources/mail/group_user_added_owner.php @@ -7,18 +7,18 @@

A new user has been added to your PI group, -''. +''. The details of the new user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_denied.php b/resources/mail/group_user_denied.php index 8e1f2ae0c..fcfb602bd 100644 --- a/resources/mail/group_user_denied.php +++ b/resources/mail/group_user_denied.php @@ -5,6 +5,6 @@

Hello,

-

You have been denied from joining the PI group .

+

You have been denied from joining the PI group .

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_denied_owner.php b/resources/mail/group_user_denied_owner.php index f98b161f2..d15d79e07 100644 --- a/resources/mail/group_user_denied_owner.php +++ b/resources/mail/group_user_denied_owner.php @@ -5,17 +5,17 @@

Hello,

-

A user has been denied from joining your PI group, . +

A user has been denied from joining your PI group, . The details of the denied user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_removed.php b/resources/mail/group_user_removed.php index 83a1786e1..3c2a291a6 100644 --- a/resources/mail/group_user_removed.php +++ b/resources/mail/group_user_removed.php @@ -5,6 +5,6 @@

Hello,

-

You have been removed from the PI group .

+

You have been removed from the PI group .

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_removed_owner.php b/resources/mail/group_user_removed_owner.php index 2cff0e54c..5c798a586 100644 --- a/resources/mail/group_user_removed_owner.php +++ b/resources/mail/group_user_removed_owner.php @@ -7,18 +7,18 @@

A user has been removed from your PI group, -''. +''. The details of the removed user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_request.php b/resources/mail/group_user_request.php index ad40d215c..7bbbb2018 100644 --- a/resources/mail/group_user_request.php +++ b/resources/mail/group_user_request.php @@ -5,6 +5,6 @@

Hello,

-

You have requested to join the group .

+

You have requested to join the group .

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_request_owner.php b/resources/mail/group_user_request_owner.php index b2db8638a..cff157d9d 100644 --- a/resources/mail/group_user_request_owner.php +++ b/resources/mail/group_user_request_owner.php @@ -7,18 +7,18 @@

A user has requested to join your PI group, -''. +''. The details of the user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

You can approve or deny this user on the diff --git a/resources/mail/user_flag_added.php b/resources/mail/user_flag_added.php index 268d0e44f..d71ebe153 100644 --- a/resources/mail/user_flag_added.php +++ b/resources/mail/user_flag_added.php @@ -5,9 +5,9 @@

Hello,

Your account on the UnityHPC Platform has been activated. Your account details are below:

-Username +Username
-Organization +Organization

See the diff --git a/resources/mail/user_flag_added_admin.php b/resources/mail/user_flag_added_admin.php index 3a40153e9..41ee2dc79 100644 --- a/resources/mail/user_flag_added_admin.php +++ b/resources/mail/user_flag_added_admin.php @@ -3,35 +3,35 @@ case UserFlag::QUALIFIED: ?> Subject = "User Qualified"; ?>

Hello,

-

User "" has been qualified.

+

User "" has been qualified.

Subject = "User Ghosted"; ?>

Hello,

-

User "" has been marked as ghost.

+

User "" has been marked as ghost.

Subject = "User Locked"; ?>

Hello,

-

User "" has been locked.

+

User "" has been locked.

Subject = "User Idle Locked"; ?>

Hello,

-

User "" has been idle locked.

+

User "" has been idle locked.

Subject = "User Promoted"; ?>

Hello,

-

User "" has been promoted to admin.

+

User "" has been promoted to admin.

diff --git a/resources/mail/user_flag_removed_admin.php b/resources/mail/user_flag_removed_admin.php index 9df4d136c..09fce452c 100644 --- a/resources/mail/user_flag_removed_admin.php +++ b/resources/mail/user_flag_removed_admin.php @@ -3,35 +3,35 @@ case UserFlag::QUALIFIED: ?> Subject = "User Dequalified"; ?>

Hello,

-

User "" has been dequalified.

+

User "" has been dequalified.

Subject = "User Resurrected"; ?>

Hello,

-

User "" has been resurrected (no longer marked as ghost).

+

User "" has been resurrected (no longer marked as ghost).

Subject = "User Unlocked"; ?>

Hello,

-

User "" has been unlocked.

+

User "" has been unlocked.

Subject = "User Idle Unlocked"; ?>

Hello,

-

User "" has been idle unlocked.

+

User "" has been idle unlocked.

Subject = "User Demoted"; ?>

Hello,

-

User "" has been demoted from admin.

+

User "" has been demoted from admin.

diff --git a/resources/mail/user_loginshell.php b/resources/mail/user_loginshell.php index a86e82088..8d42026f5 100644 --- a/resources/mail/user_loginshell.php +++ b/resources/mail/user_loginshell.php @@ -5,7 +5,7 @@

Hello,

-

You have updated your login shell on the UnityHPC Platform to . +

You have updated your login shell on the UnityHPC Platform to . You can view the login shell settings on the page

diff --git a/resources/mail/user_sshkey.php b/resources/mail/user_sshkey.php index 8ec90a860..c8f78f5ca 100644 --- a/resources/mail/user_sshkey.php +++ b/resources/mail/user_sshkey.php @@ -10,7 +10,7 @@

$key"; + echo "
" . htmlspecialchars($key) . "
"; } ?>

diff --git a/webroot/admin/ajax/get_group_members.php b/webroot/admin/ajax/get_group_members.php index 7d0dbde8e..a6312d032 100644 --- a/webroot/admin/ajax/get_group_members.php +++ b/webroot/admin/ajax/get_group_members.php @@ -26,11 +26,14 @@ } else { echo ""; } - $fullname = $attributes["gecos"][0]; - $mail = $attributes["mail"][0]; - echo "$fullname"; - echo "$uid"; - echo "$mail"; + $uid_escaped = htmlspecialchars($uid); + $gecos = htmlspecialchars($attributes["gecos"][0]); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); + $gid_escaped = htmlspecialchars($group->gid); + echo "$gecos"; + echo "$uid_escaped"; + echo "$mail_display"; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo " @@ -38,13 +41,13 @@ action='' method='POST' onsubmit=' - return confirm(\"Are you sure you want to remove $uid from this group?\"); + return confirm(\"Are you sure you want to remove $uid_escaped from this group?\"); ' > $CSRFTokenHiddenFormInput - - + + "; @@ -59,20 +62,23 @@ } else { echo ""; } - $name = $user->getFullName(); - $email = $user->getMail(); - echo "$name"; - echo "$user->uid"; - echo "$email"; + $gecos = htmlspecialchars($user->getFullName()); + $uid_escaped = htmlspecialchars($user->uid); + $mail_link = "mailto:" . urlencode($user->getMail()); + $mail_display = htmlspecialchars($user->getMail()); + $gid_escaped = htmlspecialchars($group->gid); + echo "$gecos"; + echo "$uid_escaped"; + echo "$mail_display"; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "

+ onsubmit='return confirm(\"Are you sure you want to approve $uid_escaped ?\");'> $CSRFTokenHiddenFormInput - - + +
"; echo ""; diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php index 135a10310..0adfa3f0c 100644 --- a/webroot/admin/pi-mgmt.php +++ b/webroot/admin/pi-mgmt.php @@ -69,14 +69,15 @@ $requests = $SQL->getRequests(UnitySQL::REQUEST_BECOME_PI); foreach ($requests as $request) { - $uid = $request["uid"]; - $request_user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); - $name = $request_user->getFullname(); - $email = $request_user->getMail(); + $request_user = new UnityUser($request["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK); + $uid = htmlspecialchars($request["uid"]); + $gecos = htmlspecialchars($request_user->getFullname()); + $mail_link = "mailto:" . urlencode($request_user->getMail()); + $mail_display = htmlspecialchars($request_user->getMail()); echo ""; - echo "$name"; + echo "$gecos"; echo "$uid"; - echo "$email"; + echo "$mail_display"; echo "" . date("jS F, Y", strtotime($request['timestamp'])) . ""; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -123,11 +124,14 @@ class="filterSearch" ); usort($owner_attributes, fn($a, $b) => strcmp($a["uid"][0], $b["uid"][0])); foreach ($owner_attributes as $attributes) { - $mail = $attributes["mail"][0]; + $gecos = htmlspecialchars($attributes["gecos"][0]); + $gid = htmlspecialchars(UnityGroup::OwnerUID2GID($attributes["uid"][0])); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); echo ""; - echo "" . $attributes["gecos"][0] . ""; - echo "" . UnityGroup::OwnerUID2GID($attributes["uid"][0]) . ""; - echo "$mail"; + echo "$gecos"; + echo "$gid"; + echo "$mail_display"; echo ""; } ?> diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index f327aa78f..68595ffa7 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -57,24 +57,25 @@ class="filterSearch" usort($user_attributes, fn ($a, $b) => strcmp($a["uid"][0], $b["uid"][0])); foreach ($user_attributes as $attributes) { $uid = $attributes["uid"][0]; + $uid_escaped = htmlspecialchars($uid); + $gecos = htmlspecialchars($attributes["gecos"][0]); + $org = htmlspecialchars($attributes["o"][0]); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); if ($SQL->accDeletionRequestExists($uid)) { echo ""; } else { echo ""; } - echo "" . $attributes["gecos"][0] . ""; - echo "" . $uid . ""; - echo "" . $attributes["o"][0] . ""; - echo " - - " . $attributes["mail"][0] . " - - "; + echo "$gecos"; + echo "$uid_escaped"; + echo "$org"; + echo "$mail_display"; echo ""; if (count($UID2PIGIDs[$uid]) > 0) { echo ""; foreach ($UID2PIGIDs[$uid] as $gid) { - echo ""; + echo ""; } echo "
$gid
" . htmlspecialchars($gid) . "
"; } @@ -82,10 +83,10 @@ class="filterSearch" echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "
+ onsubmit='return confirm(\"Are you sure you want to switch to the user $uid_escaped?\");'> $CSRFTokenHiddenFormInput - +
"; echo ""; diff --git a/webroot/panel/ajax/get_group_members.php b/webroot/panel/ajax/get_group_members.php index 15c0b08a8..669a95e0b 100644 --- a/webroot/panel/ajax/get_group_members.php +++ b/webroot/panel/ajax/get_group_members.php @@ -23,12 +23,14 @@ } else { echo ""; } - $fullname = $attributes["gecos"][0]; - $mail = $attributes["mail"][0]; - echo "$fullname"; - echo "$uid"; - echo "$mail"; - echo ""; + $uid_escaped = htmlspecialchars($uid); + $gecos = htmlspecialchars($attributes["gecos"][0]); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); + echo "$gecos"; + echo "$uid_escaped"; + echo "$mail_display"; + echo ""; echo ""; $i++; } diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php index d1a791232..580c32fe1 100644 --- a/webroot/panel/groups.php +++ b/webroot/panel/groups.php @@ -98,18 +98,20 @@ $WEBHOOK ); $requested_owner = $requested_account->getOwner(); - $full_name = $requested_owner->getFirstname() . " " . $requested_owner->getLastname(); - $mail = $requested_owner->getMail(); + $gecos = htmlspecialchars($requested_owner->getFullname()); + $mail_link = "mailto:" . urlencode($requested_owner->getMail()); + $mail_display = htmlspecialchars($requested_owner->getMail()); + $gid = htmlspecialchars($requested_account->gid); echo ""; - echo "$full_name"; + echo "$gecos"; echo "" . $requested_account->gid . ""; - echo "$mail"; + echo "$mail_display"; echo "" . date("jS F, Y", strtotime($request['timestamp'])) . ""; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "
$CSRFTokenHiddenFormInput - +
"; @@ -146,23 +148,25 @@ foreach ($PIGroupGIDs as $gid) { $group = new UnityGroup($gid, $LDAP, $SQL, $MAILER, $WEBHOOK); $owner = $group->getOwner(); - $full_name = $owner->getFirstname() . " " . $owner->getLastname(); if ($USER->uid == $owner->uid) { continue; } - + $gecos = htmlspecialchars($owner->getFullname()); + $gid_escaped = htmlspecialchars($group->gid); + $mail_link = "mailto:" . urlencode($owner->getMail()); + $mail_display = htmlspecialchars($owner->getMail()); echo ""; - echo "$full_name"; - echo "" . $group->gid . ""; - echo "" . $owner->getMail() . ""; + echo "$gecos"; + echo "$gid_escaped"; + echo "$mail_display"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "
+ onsubmit='return confirm(\"Are you sure you want to leave the PI group $gid_escaped?\")'> $CSRFTokenHiddenFormInput - +
"; diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php index fc031d647..c6375131d 100644 --- a/webroot/panel/pi.php +++ b/webroot/panel/pi.php @@ -57,14 +57,15 @@ echo ""; foreach ($requests as [$user, $timestamp]) { - $uid = $user->uid; - $name = $user->getFullName(); - $email = $user->getMail(); + $uid = htmlspecialchars($user->uid); + $gecos = htmlspecialchars($user->getFullName()); + $mail_link = "mailto:" . urlencode($user->getMail()); + $mail_display = htmlspecialchars($user->getMail()); $date = date("jS F, Y", strtotime($timestamp)); echo ""; - echo ""; + echo ""; echo ""; - echo ""; + echo ""; echo ""; echo ""; echo ""; - echo ""; - echo ""; - echo ""; + echo ""; + echo ""; + echo ""; echo ""; }
$name$gecos$uid$email$mail_display$date"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -96,7 +97,10 @@ if ($assoc->uid == $USER->uid) { continue; } - + $uid = htmlspecialchars($assoc->uid); + $gecos = htmlspecialchars($assoc->getFullName()); + $mail_link = "mailto:" . urlencode($assoc->getMail()); + $mail_display = htmlspecialchars($assoc->getMail()); echo "
"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -114,9 +118,9 @@ > "; echo "" . $assoc->getFirstname() . " " . $assoc->getLastname() . "" . $assoc->uid . "" . $assoc->getMail() . "$gecos$uid$mail_display