escape LDAP attribute values

resources/mail/account_deletion_request_admin.php

@@ -8,9 +8,9 @@
 <p>A user has requested deletion of their account. User details are below:</p>
 
 <p>
-    <strong>Username</strong> <?php echo $data["user"]; ?>
+    <strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
     <br>
-    <strong>Name</strong> <?php echo $data["name"]; ?>
+    <strong>Name</strong> <?php echo htmlspecialchars($data["name"]); ?>
     <br>
-    <strong>Email</strong> <?php echo $data["email"]; ?>
+    <strong>Email</strong> <?php echo htmlspecialchars($data["email"]); ?>
 </p>

resources/mail/account_deletion_request_cancelled_admin.php

@@ -7,9 +7,9 @@
 <p>A user has cancelled their request for account deletion. User details are below:</p>
 
 <p>
-    <strong>Username</strong> <?php echo $data["user"]; ?>
+    <strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
     <br>
-    <strong>Name</strong> <?php echo $data["name"]; ?>
+    <strong>Name</strong> <?php echo htmlspecialchars($data["name"]); ?>
     <br>
-    <strong>Email</strong> <?php echo $data["email"]; ?>
+    <strong>Email</strong> <?php echo htmlspecialchars($data["email"]); ?>
 </p>

resources/mail/group_disband.php

@@ -5,7 +5,7 @@
 
 <p>Hello,</p>
 
-<p>Your PI group, <?php echo $data["group_name"]; ?>, has been disbanded on the UnityHPC Platform.
+<p>Your PI group, <?php echo htmlspecialchars($data["group_name"]); ?>, has been disbanded on the UnityHPC Platform.
 Any jobs associated with this PI account have been killed.</p>
 
 <p>If you believe this to be a mistake, please reply to this email</p>

resources/mail/group_join_request_cancelled.php

@@ -1,4 +1,4 @@
 <?php
 $this->Subject = "Unity PI Membership Request Cancelled: '" . $data["uid"] . "'"; ?>
 <p>Hello,</p>
-<p>The user '<?php echo $data["uid"]; ?>' has cancelled their request to join your PI group.</p>
+<p>The user '<?php echo htmlspecialchars($data["uid"]); ?>' has cancelled their request to join your PI group.</p>

resources/mail/group_request_admin.php

@@ -8,13 +8,13 @@
 <p>A user has requested a PI account. User details are below:</p>
 
 <p>
-    <strong>Username</strong> <?php echo $data["user"]; ?>
+    <strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
     <br>
-    <strong>Organization</strong> <?php echo $data["org"]; ?>
+    <strong>Organization</strong> <?php echo htmlspecialchars($data["org"]); ?>
     <br>
-    <strong>Name</strong> <?php echo $data["name"]; ?>
+    <strong>Name</strong> <?php echo htmlspecialchars($data["name"]); ?>
     <br>
-    <strong>Email</strong> <?php echo $data["email"]; ?>
+    <strong>Email</strong> <?php echo htmlspecialchars($data["email"]); ?>
 </p>
 
 <p>

resources/mail/group_request_cancelled.php

@@ -1,4 +1,4 @@
 <?php
 $this->Subject = "PI Request Cancelled: '" . $data["uid"] . "'"; ?>
 <p>Hello,</p>
-<p>The user '<?php echo $data["uid"]; ?>' has cancelled their request to become a PI.</p>
+<p>The user '<?php echo htmlspecialchars($data["uid"]); ?>' has cancelled their request to become a PI.</p>

resources/mail/group_user_added.php

@@ -5,7 +5,7 @@
 
 <p>Hello,</p>
 
-<p>You have been approved to join the PI group <?php echo $data["group"]; ?>.
+<p>You have been approved to join the PI group <?php echo htmlspecialchars($data["group"]); ?>.
 Navigate to the <?php echo getHyperlink("my groups", "panel/groups.php"); ?>
 page to see your PI groups.</p>
 

resources/mail/group_user_added_owner.php

@@ -7,18 +7,18 @@
 
 <p>
 A new user has been added to your PI group,
-'<?php echo $data["group"]; ?>'.
+'<?php echo htmlspecialchars($data["group"]); ?>'.
 The details of the new user are below:
 </p>
 
 <p>
-<strong>Username</strong> <?php echo $data["user"]; ?>
+<strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
 <br>
-<strong>Organization</strong> <?php echo $data["org"]; ?>
+<strong>Organization</strong> <?php echo htmlspecialchars($data["org"]); ?>
 <br>
-<strong>Name</strong> <?php echo $data["name"]; ?>
+<strong>Name</strong> <?php echo htmlspecialchars($data["name"]); ?>
 <br>
-<strong>Email</strong> <?php echo $data["email"]; ?>
+<strong>Email</strong> <?php echo htmlspecialchars($data["email"]); ?>
 </p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>

resources/mail/group_user_denied.php

@@ -5,6 +5,6 @@
 
 <p>Hello,</p>
 
-<p>You have been denied from joining the PI group <?php echo $data["group"]; ?>.</p>
+<p>You have been denied from joining the PI group <?php echo htmlspecialchars($data["group"]); ?>.</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>

resources/mail/group_user_denied_owner.php

@@ -5,17 +5,17 @@
 
 <p>Hello,</p>
 
-<p>A user has been denied from joining your PI group, <?php echo $data["group"]; ?>.
+<p>A user has been denied from joining your PI group, <?php echo htmlspecialchars($data["group"]); ?>.
 The details of the denied user are below:</p>
 
 <p>
-<strong>Username</strong> <?php echo $data["user"]; ?>
+<strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
 <br>
-<strong>Organization</strong> <?php echo $data["org"]; ?>
+<strong>Organization</strong> <?php echo htmlspecialchars($data["org"]); ?>
 <br>
-<strong>Name</strong> <?php echo $data["name"]; ?>
+<strong>Name</strong> <?php echo htmlspecialchars($data["name"]); ?>
 <br>
-<strong>Email</strong> <?php echo $data["email"]; ?>
+<strong>Email</strong> <?php echo htmlspecialchars($data["email"]); ?>
 </p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>

resources/mail/group_user_removed.php

@@ -5,6 +5,6 @@
 
 <p>Hello,</p>
 
-<p>You have been removed from the PI group <?php echo $data["group"]; ?>.</p>
+<p>You have been removed from the PI group <?php echo htmlspecialchars($data["group"]); ?>.</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>

resources/mail/group_user_removed_owner.php

@@ -7,18 +7,18 @@
 
 <p>
 A user has been removed from your PI group,
-'<?php echo $data["group"]; ?>'.
+'<?php echo htmlspecialchars($data["group"]); ?>'.
 The details of the removed user are below:
 </p>
 
 <p>
-<strong>Username</strong> <?php echo $data["user"]; ?>
+<strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
 <br>
-<strong>Organization</strong> <?php echo $data["org"]; ?>
+<strong>Organization</strong> <?php echo htmlspecialchars($data["org"]); ?>
 <br>
-<strong>Name</strong> <?php echo $data["name"]; ?>
+<strong>Name</strong> <?php echo htmlspecialchars($data["name"]); ?>
 <br>
-<strong>Email</strong> <?php echo $data["email"]; ?>
+<strong>Email</strong> <?php echo htmlspecialchars($data["email"]); ?>
 </p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>

resources/mail/group_user_request.php

@@ -5,6 +5,6 @@
 
 <p>Hello,</p>
 
-<p>You have requested to join the group <?php echo $data["group"]; ?>.</p>
+<p>You have requested to join the group <?php echo htmlspecialchars($data["group"]); ?>.</p>
 
 <p>If you believe this to be a mistake, please reply to this email as soon as possible.</p>

resources/mail/group_user_request_owner.php

@@ -7,18 +7,18 @@
 
 <p>
 A user has requested to join your PI group,
-'<?php echo $data["group"]; ?>'.
+'<?php echo htmlspecialchars($data["group"]); ?>'.
 The details of the user are below:
 </p>
 
 <p>
-<strong>Username</strong> <?php echo $data["user"]; ?>
+<strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
 <br>
-<strong>Organization</strong> <?php echo $data["org"]; ?>
+<strong>Organization</strong> <?php echo htmlspecialchars($data["org"]); ?>
 <br>
-<strong>Name</strong> <?php echo $data["name"]; ?>
+<strong>Name</strong> <?php echo htmlspecialchars($data["name"]); ?>
 <br>
-<strong>Email</strong> <?php echo $data["email"]; ?>
+<strong>Email</strong> <?php echo htmlspecialchars($data["email"]); ?>
 </p>
 
 <p>You can approve or deny this user on the

resources/mail/user_flag_added.php

@@ -5,9 +5,9 @@
 <p>Hello,</p>
 <p>Your account on the UnityHPC Platform has been activated. Your account details are below:</p>
 <p>
-<strong>Username</strong> <?php echo $data["user"]; ?>
+<strong>Username</strong> <?php echo htmlspecialchars($data["user"]); ?>
 <br>
-<strong>Organization</strong> <?php echo $data["org"]; ?>
+<strong>Organization</strong> <?php echo htmlspecialchars($data["org"]); ?>
 </p>
 <p>
 See the

resources/mail/user_flag_added_admin.php

@@ -3,35 +3,35 @@
 case UserFlag::QUALIFIED: ?>
 <?php $this->Subject = "User Qualified"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been qualified. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been qualified. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::GHOST: ?>
 <?php $this->Subject = "User Ghosted"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been marked as ghost. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been marked as ghost. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::LOCKED: ?>
 <?php $this->Subject = "User Locked"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been locked. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been locked. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::IDLELOCKED: ?>
 <?php $this->Subject = "User Idle Locked"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been idle locked. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been idle locked. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::ADMIN: ?>
 <?php $this->Subject = "User Promoted"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been promoted to admin. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been promoted to admin. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>

resources/mail/user_flag_removed_admin.php

@@ -3,35 +3,35 @@
 case UserFlag::QUALIFIED: ?>
 <?php $this->Subject = "User Dequalified"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been dequalified. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been dequalified. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::GHOST: ?>
 <?php $this->Subject = "User Resurrected"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been resurrected (no longer marked as ghost). </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been resurrected (no longer marked as ghost). </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::LOCKED: ?>
 <?php $this->Subject = "User Unlocked"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been unlocked. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been unlocked. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::IDLELOCKED: ?>
 <?php $this->Subject = "User Idle Unlocked"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been idle unlocked. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been idle unlocked. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>
 <?php case UserFlag::ADMIN: ?>
 <?php $this->Subject = "User Demoted"; ?>
 <p>Hello,</p>
-<p>User "<?php echo $data["user"] ?>" has been demoted from admin. </p>
+<p>User "<?php echo htmlspecialchars($data["user"]) ?>" has been demoted from admin. </p>
 <?php break; ?>
 
 <?php /////////////////////////////////////////////////////////////////////////////////////////// ?>

resources/mail/user_loginshell.php

@@ -5,7 +5,7 @@
 
 <p>Hello,</p>
 
-<p>You have updated your login shell on the UnityHPC Platform to <?php echo $data["new_shell"]; ?>.
+<p>You have updated your login shell on the UnityHPC Platform to <?php echo htmlspecialchars($data["new_shell"]); ?>.
 You can view the login shell settings on the
 <?php echo getHyperlink("account settings", "panel/account.php"); ?> page</p>
 

resources/mail/user_sshkey.php

@@ -10,7 +10,7 @@
 </p>
 
 <?php foreach ($data["keys"] as $key) {
-    echo "<pre>$key</pre>";
+    echo "<pre>" . htmlspecialchars($key) . "</pre>";
 } ?>
 
 <p>

webroot/admin/ajax/get_group_members.php

@@ -26,25 +26,28 @@
     } else {
         echo "<tr class='expanded $i'>";
     }
-    $fullname = $attributes["gecos"][0];
-    $mail = $attributes["mail"][0];
-    echo "<td>$fullname</td>";
-    echo "<td>$uid</td>";
-    echo "<td><a href='mailto:$mail'>$mail</a></td>";
+    $uid_escaped = htmlspecialchars($uid);
+    $gecos = htmlspecialchars($attributes["gecos"][0]);
+    $mail_link = "mailto:" . urlencode($attributes["mail"][0]);
+    $mail_display = htmlspecialchars($attributes["mail"][0]);
+    $gid_escaped = htmlspecialchars($group->gid);
+    echo "<td>$gecos</td>";
+    echo "<td>$uid_escaped</td>";
+    echo "<td><a href='$mail_link'>$mail_display</a></td>";
     echo "<td>";
     $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
     echo "
         <form
             action=''
             method='POST'
             onsubmit='
-                return confirm(\"Are you sure you want to remove $uid from this group?\");
+                return confirm(\"Are you sure you want to remove $uid_escaped from this group?\");
             '
         >
         $CSRFTokenHiddenFormInput
         <input type='hidden' name='form_type' value='remUserChild'>
-        <input type='hidden' name='uid' value='$uid'>
-        <input type='hidden' name='pi' value='$group->gid'>
+        <input type='hidden' name='uid' value='$uid_escaped'>
+        <input type='hidden' name='pi' value='$gid_escaped'>
         <input type='submit' value='Remove'>
         </form>
     ";
@@ -59,20 +62,23 @@
     } else {
         echo "<tr class='expanded $i'>";
     }
-    $name = $user->getFullName();
-    $email = $user->getMail();
-    echo "<td>$name</td>";
-    echo "<td>$user->uid</td>";
-    echo "<td><a href='mailto:$email'>$email</a></td>";
+    $gecos = htmlspecialchars($user->getFullName());
+    $uid_escaped = htmlspecialchars($user->uid);
+    $mail_link = "mailto:" . urlencode($user->getMail());
+    $mail_display = htmlspecialchars($user->getMail());
+    $gid_escaped = htmlspecialchars($group->gid);
+    echo "<td>$gecos</td>";
+    echo "<td>$uid_escaped</td>";
+    echo "<td><a href='$mail_link'>$mail_display</a></td>";
     echo "<td>";
     $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput();
     echo
         "<form action='' method='POST'
-    onsubmit='return confirm(\"Are you sure you want to approve $user->uid ?\");'>
+    onsubmit='return confirm(\"Are you sure you want to approve $uid_escaped ?\");'>
     $CSRFTokenHiddenFormInput
     <input type='hidden' name='form_type' value='reqChild'>
-    <input type='hidden' name='uid' value='$user->uid'>
-    <input type='hidden' name='pi' value='$group->gid'>
+    <input type='hidden' name='uid' value='$uid_escaped'>
+    <input type='hidden' name='pi' value='$gid_escaped'>
     <input type='submit' name='action' value='Approve'>
     <input type='submit' name='action' value='Deny'></form>";
     echo "</td>";