From eb5e581995367746a319340ea2d02759e4acf7aa Mon Sep 17 00:00:00 2001 From: alekswilc Date: Sun, 3 Nov 2024 00:52:20 +0100 Subject: [PATCH] security(): prevent XSS attacks --- src/http/views/_modules/footer.ejs | 4 +-- src/http/views/leaderboard/index.ejs | 10 +++--- src/http/views/leaderboard/station.ejs | 8 ++--- src/http/views/leaderboard/train.ejs | 12 +++---- src/http/views/profiles/index.ejs | 42 +++++++++++----------- src/http/views/stations/details.ejs | 40 ++++++++++----------- src/http/views/stations/index.ejs | 20 +++++------ src/http/views/trains/details.ejs | 48 +++++++++++++------------- src/http/views/trains/index.ejs | 26 +++++++------- 9 files changed, 105 insertions(+), 105 deletions(-) diff --git a/src/http/views/_modules/footer.ejs b/src/http/views/_modules/footer.ejs index 5b51bbf..3ab5565 100644 --- a/src/http/views/_modules/footer.ejs +++ b/src/http/views/_modules/footer.ejs @@ -3,9 +3,9 @@ Community

Open Source

<% if (version) { %> - Wersja: <%- version %> + Wersja: <%= version %> <% } %> - Commit: <%- commit %> + Commit: <%= commit %>

<% if (thanks) { %>

Podziękowania dla społeczności discorda Simrail24, Tablica wyników

- + @@ -50,15 +50,15 @@ @@ -43,15 +43,15 @@ <%- include('../_modules/header.ejs', { section: 'profiles' }) %>
-

<%- steam.personaname %>

+

<%= steam.personaname %>

<%if (steamStats.stats) {%>
Statystyki Steam -

Zdobyte punkty: <%- steamStats.stats.find(x => x.name === 'SCORE')?.value ?? "0" %>

-

Przejechane kilometry: <%- (steamStats.stats.find(x => x.name === 'DISTANCE_M')?.value / 1000) ?? "0" %>

-

Czas spędzony jako dyżurny ruchu: <%- msToTime((steamStats.stats.find(x => x.name === 'DISPATCHER_TIME')?.value ?? 0)*1_000_000, true) || 'Nigdy nie wszedł w tryb dyżurnego ruchu.' %>

+

Zdobyte punkty: <%= steamStats.stats.find(x => x.name === 'SCORE')?.value ?? "0" %>

+

Przejechane kilometry: <%= (steamStats.stats.find(x => x.name === 'DISTANCE_M')?.value / 1000) ?? "0" %>

+

Czas spędzony jako dyżurny ruchu: <%= msToTime((steamStats.stats.find(x => x.name === 'DISPATCHER_TIME')?.value ?? 0)*1_000_000, true) || 'Nigdy nie wszedł w tryb dyżurnego ruchu.' %>


UWAGA: powyższe statystyki udostępnia platforma STEAM, mogą one być z łatwością manipulowane.

@@ -61,21 +61,21 @@

Statystyki pociągów

<% if (player.trainTime) {%> -

Spędzony czas: <%- msToTime(player.trainTime) %>

-

Przejechane kilometry: <%- player.trainDistance / 1000 %>km

-

Zdobyte punkty: <%- player.trainPoints %>

-

Średnia prędkość: <%- ((player.trainDistance / (player.trainTime / 1000)) * 3.6).toFixed(2) %> km/h

+

Spędzony czas: <%= msToTime(player.trainTime) %>

+

Przejechane kilometry: <%= player.trainDistance / 1000 %>km

+

Zdobyte punkty: <%= player.trainPoints %>

+

Średnia prędkość: <%= ((player.trainDistance / (player.trainTime / 1000)) * 3.6).toFixed(2) %> km/h

<%}%> <% if (player.trainStats && Object.keys(player.trainStats).length) {%>
    <% Object.keys(player.trainStats).forEach(name => {%>
  • - <%- name %> -

    Przejechany dystans: <%- player.trainStats[name].distance / 1000 %>km

    -

    Spędzony czas: <%- msToTime(player.trainStats[name].time, true) %>

    -

    Zdobyte punkty: <%- player.trainStats[name].score %>

    -

    Średnia prędkość: <%- ((player.trainStats[name].distance / (player.trainStats[name].time / 1000)) * 3.6).toFixed(2) %> km/h

    + <%= name %> +

    Przejechany dystans: <%= player.trainStats[name].distance / 1000 %>km

    +

    Spędzony czas: <%= msToTime(player.trainStats[name].time, true) %>

    +

    Zdobyte punkty: <%= player.trainStats[name].score %>

    +

    Średnia prędkość: <%= ((player.trainStats[name].distance / (player.trainStats[name].time / 1000)) * 3.6).toFixed(2) %> km/h

    • @@ -87,15 +87,15 @@

    Statystyki posterunków

    <% if (player.dispatcherTime) {%> -

    Spędzony czas: <%- msToTime(player.dispatcherTime) %>

    +

    Spędzony czas: <%= msToTime(player.dispatcherTime) %>

    <%}%> <% if (player.dispatcherStats && Object.keys(player.dispatcherStats).length) {%>
      <% Object.keys(player.dispatcherStats).forEach(name => {%>
    • - <%- name %> -

      Spędzony czas: <%- msToTime(player.dispatcherStats[name].time, true) %>

      + <%= name %> +

      Spędzony czas: <%= msToTime(player.dispatcherStats[name].time, true) %>

      • diff --git a/src/http/views/stations/details.ejs b/src/http/views/stations/details.ejs index eb0ea14..4c0a163 100644 --- a/src/http/views/stations/details.ejs +++ b/src/http/views/stations/details.ejs @@ -6,13 +6,13 @@ simrail.alekswilc.dev + content="<%= record.stationName %> | <%= record.userUsername %> | <%= dayjs(record.leftDate).format('hh:mm DD/MM/YYYY') %>"> - + + content="<%= record.stationName %> | <%= record.userUsername %> | <%= dayjs(record.leftDate).format('hh:mm DD/MM/YYYY') %>""> - + @@ -40,7 +40,7 @@ } function copylink() { - navigator.clipboard.writeText("https://simrail.alekswilc.dev/stations/details/<%- record.id %>/") + navigator.clipboard.writeText("https://simrail.alekswilc.dev/stations/details/<%= record.id %>/") } @@ -49,28 +49,28 @@
      -

      Użytkownik: - <%- record.userUsername %> +

      Użytkownik: + <%= record.userUsername %>

      -

      Stacja: <%- record.stationName %> +

      Stacja: <%= record.stationName %>

      -

      Serwer: <%- record.server.toUpperCase() %> +

      Serwer: <%= record.server.toUpperCase() %>

      -

      Data wejścia: <%- record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') : '--:-- --/--/--' - %> (<%- record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>)

      -

      Data wyjścia: <%- dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%- dayjs(record.leftDate).fromNow() +

      Data wejścia: <%= record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') : '--:-- --/--/--' + %> (<%= record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>)

      +

      Data wyjścia: <%= dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%= dayjs(record.leftDate).fromNow() %>)

      -

      Spędzony czas: <%- record.joinedDate ? msToTime(record.leftDate - record.joinedDate, true) : '--' %> +

      Spędzony czas: <%= record.joinedDate ? msToTime(record.leftDate - record.joinedDate, true) : '--' %>


      - ;station: <%- record.stationName %> - ;steam: <%- record.userSteamId %> - ;server: <%- record.server %> - ;name: <%- record.userUsername %> - ;joined: <%-record.joinedDate ? dayjs(record.joinedDate).format() : 'no-data'%> - ;left: <%-dayjs(record.leftDate).format()%> - ;url: https://simrail.alekswilc.dev/stations/details/<%- record.id %>/ + ;station: <%= record.stationName %> + ;steam: <%= record.userSteamId %> + ;server: <%= record.server %> + ;name: <%= record.userUsername %> + ;joined: <%=record.joinedDate ? dayjs(record.joinedDate).format() : 'no-data'%> + ;left: <%=dayjs(record.leftDate).format()%> + ;url: https://simrail.alekswilc.dev/stations/details/<%= record.id %>/

      diff --git a/src/http/views/stations/index.ejs b/src/http/views/stations/index.ejs index e12d103..56af4d1 100644 --- a/src/http/views/stations/index.ejs +++ b/src/http/views/stations/index.ejs @@ -26,7 +26,7 @@

      Wyszukaj posterunek, osobe lub serwer

      - + @@ -38,25 +38,25 @@
    • [ - <%- record.server.toUpperCase() %> + <%= record.server.toUpperCase() %> ] - <%- record.stationName %> + <%= record.stationName %> - - <%- record.userUsername %> + <%= record.userUsername %>

      - <%- dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> + <%= dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %>

      -

      Data dołączenia: <%- record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') - : '--:-- --/--/--' %> (<%- record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>) +

      Data dołączenia: <%= record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') + : '--:-- --/--/--' %> (<%= record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>)

      -

      Data wyjścia: <%- dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%- +

      Data wyjścia: <%= dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%= dayjs(record.leftDate).fromNow() %>)

      -

      Spędzony czas: <%- record.joinedDate ? msToTime(record.leftDate - record.joinedDate) : '--' %> +

      Spędzony czas: <%= record.joinedDate ? msToTime(record.leftDate - record.joinedDate) : '--' %>

      - +
      diff --git a/src/http/views/trains/details.ejs b/src/http/views/trains/details.ejs index ce4a838..3811f7b 100644 --- a/src/http/views/trains/details.ejs +++ b/src/http/views/trains/details.ejs @@ -6,13 +6,13 @@ simrail.alekswilc.dev + content="<%= record.stationName %> | <%= record.userUsername %> | <%= dayjs(record.leftDate).format('hh:mm DD/MM/YYYY') %>"> - + + content="<%= record.stationName %> | <%= record.userUsername %> | <%= dayjs(record.leftDate).format('hh:mm DD/MM/YYYY') %>""> - + @@ -40,7 +40,7 @@ } function copylink() { - navigator.clipboard.writeText("https://simrail.alekswilc.dev/trains/details/<%- record.id %>/") + navigator.clipboard.writeText("https://simrail.alekswilc.dev/trains/details/<%= record.id %>/") } @@ -49,35 +49,35 @@
      -

      Użytkownik: - <%- record.userUsername %> +

      Użytkownik: + <%= record.userUsername %>

      -

      Pociąg: <%- record.trainName %> <%- record.trainNumber %> +

      Pociąg: <%= record.trainName %> <%= record.trainNumber %>

      -

      Data wejścia: <%- record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') : '--:-- --/--/--' - %> (<%- record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>)

      -

      Data wyjścia: <%- dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%- dayjs(record.leftDate).fromNow() +

      Data wejścia: <%= record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') : '--:-- --/--/--' + %> (<%= record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>)

      +

      Data wyjścia: <%= dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%= dayjs(record.leftDate).fromNow() %>)

      -

      Spędzony czas: <%- record.joinedDate ? msToTime(record.leftDate - record.joinedDate, true) : '--' %> +

      Spędzony czas: <%= record.joinedDate ? msToTime(record.leftDate - record.joinedDate, true) : '--' %>

      <% if (record.distance) { %> -

      Przejechane kilometry: <%- record.distance / 1000 %>

      -

      Zdobyte punkty: <%- record.points %>

      -

      Średnia prędkość: <%- ((record.distance / ((record.leftDate - record.joinedDate) / 1000)) * 3.6).toFixed(2) %> km/h

      +

      Przejechane kilometry: <%= record.distance / 1000 %>

      +

      Zdobyte punkty: <%= record.points %>

      +

      Średnia prędkość: <%= ((record.distance / ((record.leftDate - record.joinedDate) / 1000)) * 3.6).toFixed(2) %> km/h

      <% } %>


      - ;train: <%- record.trainNumber %> - ;steam: <%- record.userSteamId %> - ;server: <%- record.server %> - ;name: <%- record.userUsername %> - ;joined: <%-record.joinedDate ? dayjs(record.joinedDate).format() : 'no-data'%> - ;left: <%-dayjs(record.leftDate).format()%><%if (record.distance) {%> - ;distance: <%- record.distance / 1000 %> - ;points: <%- record.points %><%}%> - ;url: https://simrail.alekswilc.dev/trains/details/<%- record.id %>/ + ;train: <%= record.trainNumber %> + ;steam: <%= record.userSteamId %> + ;server: <%= record.server %> + ;name: <%= record.userUsername %> + ;joined: <%=record.joinedDate ? dayjs(record.joinedDate).format() : 'no-data'%> + ;left: <%=dayjs(record.leftDate).format()%><%if (record.distance) {%> + ;distance: <%= record.distance / 1000 %> + ;points: <%= record.points %><%}%> + ;url: https://simrail.alekswilc.dev/trains/details/<%= record.id %>/

      diff --git a/src/http/views/trains/index.ejs b/src/http/views/trains/index.ejs index 54c2150..f868d64 100644 --- a/src/http/views/trains/index.ejs +++ b/src/http/views/trains/index.ejs @@ -26,7 +26,7 @@

      Wyszukaj pociąg, osobe lub serwer

      - + @@ -38,31 +38,31 @@
    • [ - <%- record.server.toUpperCase() %> + <%= record.server.toUpperCase() %> ] - <%- record.trainName %> + <%= record.trainName %> - - <%- record.trainNumber %> + <%= record.trainNumber %> - - <%- record.userUsername %> + <%= record.userUsername %>

      - <%- dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> + <%= dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %>

      -

      Data dołączenia: <%- record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') - : '--:-- --/--/--' %> (<%- record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>) +

      Data dołączenia: <%= record.joinedDate ? dayjs(record.joinedDate).format('HH:mm DD/MM/YYYY') + : '--:-- --/--/--' %> (<%= record.joinedDate ? dayjs(record.joinedDate).fromNow() : '--' %>)

      -

      Data wyjścia: <%- dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%- +

      Data wyjścia: <%= dayjs(record.leftDate).format('HH:mm DD/MM/YYYY') %> (<%= dayjs(record.leftDate).fromNow() %>)

      -

      Spędzony czas: <%- record.joinedDate ? msToTime(record.leftDate - record.joinedDate) : '--' %> +

      Spędzony czas: <%= record.joinedDate ? msToTime(record.leftDate - record.joinedDate) : '--' %> <% if (record.distance) { %> -

      Przejechane kilometry: <%- record.distance / 1000 %>

      -

      Zdobyte punkty: <%- record.points %>

      +

      Przejechane kilometry: <%= record.distance / 1000 %>

      +

      Zdobyte punkty: <%= record.points %>

      <% } %>

      - +