webcpanel: escape values in template_fileserver

Remove other escapes to prevent double escape.

Not all replaced values were escaped, such as replies from commands.

7 files changed, 20 insertions, 16 deletions

diff --git a/modules/webcpanel/pages/chanserv/access.cpp b/modules/webcpanel/pages/chanserv/access.cpp
index abe0621f6..52b8cd62c 100644
--- a/modules/webcpanel/pages/chanserv/access.cpp
+++ b/modules/webcpanel/pages/chanserv/access.cpp
@@ -103,9 +103,9 @@ bool WebCPanel::ChanServ::Access::OnRequest(HTTPProvider *server, const Anope::s
 	{
 		ChanAccess *access = ci->GetAccess(i);
 
-		replacements["MASKS"] = HTTPUtils::Escape(access->Mask());
-		replacements["ACCESSES"] = HTTPUtils::Escape(access->AccessSerialize());
-		replacements["CREATORS"] = HTTPUtils::Escape(access->creator);
+		replacements["MASKS"] = access->Mask();
+		replacements["ACCESSES"] = access->AccessSerialize();
+		replacements["CREATORS"] = access->creator;
 	}
 
 	if (Service::FindService("Command", "chanserv/access"))
diff --git a/modules/webcpanel/pages/chanserv/akick.cpp b/modules/webcpanel/pages/chanserv/akick.cpp
index 306f99030..89300e67f 100644
--- a/modules/webcpanel/pages/chanserv/akick.cpp
+++ b/modules/webcpanel/pages/chanserv/akick.cpp
@@ -74,11 +74,11 @@ bool WebCPanel::ChanServ::Akick::OnRequest(HTTPProvider *server, const Anope::st
 		AutoKick *akick = ci->GetAkick(i);
 
 		if (akick->nc)
-			replacements["MASKS"] = HTTPUtils::Escape(akick->nc->display);
+			replacements["MASKS"] = akick->nc->display;
 		else
-			replacements["MASKS"] = HTTPUtils::Escape(akick->mask);
-		replacements["CREATORS"] = HTTPUtils::Escape(akick->creator);
-		replacements["REASONS"] = HTTPUtils::Escape(akick->reason);
+			replacements["MASKS"] = akick->mask;
+		replacements["CREATORS"] = akick->creator;
+		replacements["REASONS"] = akick->reason;
 	}
 
 	Page.Serve(server, page_name, client, message, reply, replacements);
diff --git a/modules/webcpanel/pages/chanserv/modes.cpp b/modules/webcpanel/pages/chanserv/modes.cpp
index 671a9c948..e678335f0 100644
--- a/modules/webcpanel/pages/chanserv/modes.cpp
+++ b/modules/webcpanel/pages/chanserv/modes.cpp
@@ -96,7 +96,7 @@ bool WebCPanel::ChanServ::Modes::OnRequest(HTTPProvider *server, const Anope::st
 
 		std::vector<Anope::string> v = c->GetModeList(cm->name);
 		for (unsigned int i = 0; i < v.size(); ++i)
-			replacements["MASKS"] = HTTPUtils::Escape(v[i]);
+			replacements["MASKS"] = v[i];
 	}
 
 	Page.Serve(server, page_name, client, message, reply, replacements);
diff --git a/modules/webcpanel/pages/chanserv/set.cpp b/modules/webcpanel/pages/chanserv/set.cpp
index c0d4121fa..a410bc69c 100644
--- a/modules/webcpanel/pages/chanserv/set.cpp
+++ b/modules/webcpanel/pages/chanserv/set.cpp
@@ -102,7 +102,7 @@ bool WebCPanel::ChanServ::Set::OnRequest(HTTPProvider *server, const Anope::stri
 		}
 	}
 
-	replacements["CHANNEL"] = HTTPUtils::Escape(ci->name);
+	replacements["CHANNEL"] = ci->name;
 	replacements["CHANNEL_ESCAPED"] = HTTPUtils::URLEncode(ci->name);
 	if (ci->GetFounder())
 		replacements["FOUNDER"] = ci->GetFounder()->display;
@@ -114,8 +114,8 @@ bool WebCPanel::ChanServ::Set::OnRequest(HTTPProvider *server, const Anope::stri
 
 	if (!ci->last_topic.empty())
 	{
-		replacements["LAST_TOPIC"] = HTTPUtils::Escape(ci->last_topic);
-		replacements["LAST_TOPIC_SETTER"] = HTTPUtils::Escape(ci->last_topic_setter);
+		replacements["LAST_TOPIC"] = ci->last_topic;
+		replacements["LAST_TOPIC_SETTER"] = ci->last_topic_setter;
 	}
 
 	if (can_set)
diff --git a/modules/webcpanel/pages/memoserv/memos.cpp b/modules/webcpanel/pages/memoserv/memos.cpp
index 76e922949..70d36978e 100644
--- a/modules/webcpanel/pages/memoserv/memos.cpp
+++ b/modules/webcpanel/pages/memoserv/memos.cpp
@@ -101,7 +101,7 @@ bool WebCPanel::MemoServ::Memos::OnRequest(HTTPProvider *server, const Anope::st
 		replacements["NUMBER"] = stringify(i+1);
 		replacements["SENDER"] = m->sender;
 		replacements["TIME"] = Anope::strftime(m->time);
-		replacements["TEXT"] = HTTPUtils::Escape(m->text);
+		replacements["TEXT"] = m->text;
 		if (m->unread)
 			replacements["UNREAD"] = "YES";
 		else
diff --git a/modules/webcpanel/pages/nickserv/info.cpp b/modules/webcpanel/pages/nickserv/info.cpp
index 441bfca66..e875bda2c 100644
--- a/modules/webcpanel/pages/nickserv/info.cpp
+++ b/modules/webcpanel/pages/nickserv/info.cpp
@@ -84,9 +84,9 @@ bool WebCPanel::NickServ::Info::OnRequest(HTTPProvider *server, const Anope::str
 		}
 	}
 
-	replacements["DISPLAY"] = HTTPUtils::Escape(na->nc->display);
+	replacements["DISPLAY"] = na->nc->display;
 	if (na->nc->email.empty() == false)
-		replacements["EMAIL"] = HTTPUtils::Escape(na->nc->email);
+		replacements["EMAIL"] = na->nc->email;
 	replacements["TIME_REGISTERED"] = Anope::strftime(na->time_registered, na->nc);
 	if (na->HasVhost())
 	{
@@ -97,7 +97,7 @@ bool WebCPanel::NickServ::Info::OnRequest(HTTPProvider *server, const Anope::str
 	}
 	Anope::string *greet = na->nc->GetExt<Anope::string>("greet");
 	if (greet)
-		replacements["GREET"] = HTTPUtils::Escape(*greet);
+		replacements["GREET"] = *greet;
 	if (na->nc->HasExt("AUTOOP"))
 		replacements["AUTOOP"];
 	if (na->nc->HasExt("NS_PRIVATE"))
diff --git a/modules/webcpanel/template_fileserver.cpp b/modules/webcpanel/template_fileserver.cpp
index 341058659..8c6cd10a6 100644
--- a/modules/webcpanel/template_fileserver.cpp
+++ b/modules/webcpanel/template_fileserver.cpp
@@ -238,7 +238,11 @@ void TemplateFileServer::Serve(HTTPProvider *server, const Anope::string &page_n
 
 				if (ifok && forok)
 				{
-					const Anope::string &replacement = FindReplacement(r, content.substr(0, f - 1));
+					Anope::string replacement = FindReplacement(r, content.substr(0, f - 1));
+
+					// htmlescape all text replaced onto the page
+					replacement = HTTPUtils::Escape(replacement);
+
 					finished += replacement;
 				}
 			}