Prevents cross-site scripting (XSS) in the parameter username, Error messages now multilingual

CHANGELOG.md

@@ -48,7 +48,7 @@
 - German translation for Comment Center plugin added ([#148](https://github.com/flatpressblog/flatpress/issues/148))
 - Fixed not-yet-translated phrases in Blog view and Admin Area ([#171](https://github.com/flatpressblog/flatpress/issues/171))
 - Contact form: Admin notification mail is now localized ([#205](https://github.com/flatpressblog/flatpress/issues/205))
-- Setup tries to determine local language automatically ([#197](https://github.com/flatpressblog/flatpress/issues/197), [#216](https://github.com/flatpressblog/flatpress/issues/216))
+- Setup tries to determine local language automatically ([#197](https://github.com/flatpressblog/flatpress/issues/197), [#216](https://github.com/flatpressblog/flatpress/issues/216), [#262](https://github.com/flatpressblog/flatpress/issues/262))
 
 ## Bugfixes
 - Plugin management page: Removed empty warning messages box
@@ -70,6 +70,7 @@
 - Possible XSSs in Admin Area prevented ([#180](https://github.com/flatpressblog/flatpress/issues/180), [#183](https://github.com/flatpressblog/flatpress/issues/183), [#187](https://github.com/flatpressblog/flatpress/issues/187))
 - Possible XSS in comments prevented ([#186](https://github.com/flatpressblog/flatpress/issues/186))
 - Possible CSRFs in Admin Area prevented ([#64](https://github.com/flatpressblog/flatpress/issues/64))
+- Possible XSS in FlatPress Installer prevented ([#220](https://github.com/flatpressblog/flatpress/issues/220))
 
 # 2021-06-19: [FlatPress 1.2.1](https://github.com/flatpressblog/flatpress/releases/tag/1.2.1)
 ## Bugfixes

setup/lang/lang.cs-cz.php

@@ -1,6 +1,6 @@
 <?php
 /*
- * LangId: English
+ * LangId: Czechiscg
  */
 $lang ['locked'] = array(
 	'head' => 'Setup je uzamčen',
@@ -17,6 +17,25 @@
 		</ul>'
 );
 
+$lang ['err'] = array(
+	'setuprun1' => 'Instalace probíhá.',
+
+	'setuprun2' => 'Nastavení je spuštěno: Pokud jste správce, můžete odstranit ',
+	'setuprun3' => ' restartovat.',
+	'writeerror' => 'Chyba při psaní',
+
+	'fpuser1' => ' není platný uživatel. 
+		Uživatelské jméno musí být alfanumerické a nesmí obsahovat žádné mezery.',
+	'fpuser2' => ' není platný uživatel.
+		Uživatelské jméno může obsahovat pouze písmena, číslice a 1 podtržítko.',
+	'fppwd' => 'Heslo musí obsahovat alespoň 6 znaků a žádné mezery.',
+	'fppwd2' => 'Hesla se neshodují.',
+	'email' => ' není platná e-mailová adresa.',
+	'www' => ' není platná adresa URL.',
+	'error' => '<p><big>Chyba!</big> 
+		Při zpracování formuláře došlo k následujícím chybám:</p><ul>'
+);
+
 $lang ['step1'] = array(
 	'head' => 'Vítejte ve FlatPressu!',
 	'descr' => 'Děkujeme, že jste si vybrali <strong>FlatPress</strong>.

setup/lang/lang.de-de.php

@@ -16,6 +16,25 @@
 		</ul>'
 );
 
+$lang ['err'] = array(
+	'setuprun1' => 'Die Installation läuft.',
+
+	'setuprun2' => 'Die Installation läuft bereits: Wenn du der Administrator bist, kannst du ',
+	'setuprun3' => ' löschen, um neu zu starten.',
+	'writeerror' => 'Fehler beim Schreiben',
+
+	'fpuser1' => ' ist kein gültiger Benutzer.
+		Der Benutzername muss alphanumerisch sein und darf keine Leerzeichen enthalten.',
+	'fpuser2' => ' ist kein gültiger Benutzer.
+		Der Benutzername darf nur Buchstaben, Zahlen und 1 Unterstrich enthalten.',
+	'fppwd' => 'Das Passwort muss mindestens 6 Zeichen und darf keine Leerzeichen enthalten.',
+	'fppwd2' => 'Die Passwörter stimmen nicht überein.',
+	'email' => ' ist keine gültige E-Mail Adresse.',
+	'www' => ' ist keine gültige URL.',
+	'error' => '<p><big>Fehler!</big> 
+		Bei der Bearbeitung des Formulars sind die folgenden Fehler aufgetreten:</p><ul>'
+);
+
 $lang ['step1'] = array(
 	'head' => 'Willkommen bei FlatPress!',
 	'descr' => 'Danke, dass du dich für <strong>FlatPress</strong> entschieden hast.

setup/lang/lang.it-it.php

@@ -17,6 +17,25 @@
 		</ul>'
 );
 
+$lang ['err'] = array(
+	'setuprun1' => 'L\'installazione è in corso.',
+
+	'setuprun2' => 'L\'installazione è già in corso: se siete l\'amministratore, potete cancellare ',
+	'setuprun3' => ' per riavviare.',
+	'writeerror' => 'Errore di scrittura',
+
+	'fpuser1' => ' non è un utente valido.
+		Il nome utente deve essere alfanumerico e non deve contenere spazi.',
+	'fpuser2' => ' non è un utente valido.
+		Il nome utente può contenere solo lettere, numeri e 1 trattino basso.',
+	'fppwd' => 'La password deve contenere almeno 6 caratteri e nessuno spazio.',
+	'fppwd2' => 'Le password non corrispondono.',
+	'email' => ' non è un indirizzo e-mail valido.',
+	'www' => ' non è un URL valido.',
+	'error' => '<p><big>Errore!</big> 
+		Durante l\'elaborazione del modulo si sono verificati i seguenti errori:</p><ul>'
+);
+
 $lang ['step1'] = array(
 	'head' => 'Benvenuto in FlatPress!',
 	'descr' => 'Grazie per aver scelto <strong>FlatPress</strong>.

setup/lang/lang.ja-jp.php

@@ -17,6 +17,25 @@
 		</ul>'
 );
 
+$lang ['err'] = array(
+	'setuprun1' => 'インストールは実行中です。',
+
+	'setuprun2' => 'インストールがすでに実行されています: 管理者であれば、 ',
+	'setuprun3' => ' を削除して再起動できます。',
+	'writeerror' => '書き込みエラー',
+
+	'fpuser1' => ' は有効なユーザーではありません。
+		ユーザー名は英数字でなければならず、スペースを含んではならない。',
+	'fpuser2' => ' は有効なユーザーではありません。
+		ユーザー名にはアルファベット、数字、アンダースコア1文字のみを使用することができます。',
+	'fppwd' => 'パスワードは6文字以上で、スペースは使用しないでください。',
+	'fppwd2' => 'パスワードが一致しない。',
+	'email' => ' は有効なメールアドレスではありません。',
+	'www' => ' は有効なURLではありません。',
+	'error' => '<p><big>エラー！</big> 
+		フォームの処理中に以下のエラーが発生しました：</p><ul>'
+);
+
 $lang ['step1'] = array(
 	'head' => 'ようこそFlatPressへ',
 	'descr' => '<strong>FlatPress</strong>を選んでくださり, 感謝申し上げます!

setup/lang/lang.nl-nl.php

@@ -17,6 +17,25 @@
 		</ul>'
 );
 
+$lang ['err'] = array(
+	'setuprun1' => 'De installatie wordt uitgevoerd.',
+
+	'setuprun2' => 'De installatie loopt al: Als je de beheerder bent, kun je ',
+	'setuprun3' => ' verwijderen om opnieuw te starten.',
+	'writeerror' => 'Fout in schrijven',
+
+	'fpuser1' => ' is geen geldige gebruiker.
+		De gebruikersnaam moet alfanumeriek zijn en mag geen spaties bevatten.',
+	'fpuser2' => ' is geen geldige gebruiker.
+		De gebruikersnaam mag alleen letters, cijfers en 1 underscore bevatten.',
+	'fppwd' => 'Het wachtwoord moet minstens 6 tekens en geen spaties bevatten.',
+	'fppwd2' => 'De wachtwoorden komen niet overeen.',
+	'email' => ' is geen geldig e-mailadres.',
+	'www' => ' is geen geldige URL.',
+	'error' => '<p><big>Fout!</big> 
+		De volgende fouten zijn opgetreden tijdens het verwerken van het formulier:</p><ul>'
+);
+
 $lang ['step1'] = array(
 	'head' => 'Welkom bij FlatPress!',
 	'descr' => 'Bedankt dat je gekozen hebt voor <strong>FlatPress</strong>.

setup/lang/lang.pt-br.php

@@ -1,6 +1,6 @@
 <?php
 /*
- * LangId: English
+ * LangId: Português (BR)
  */
 
 // TERMINADO!
@@ -19,6 +19,25 @@
 		</ul>'
 );
 
+$lang ['err'] = array(
+	'setuprun1' => 'A instalação está sendo executada.',
+
+	'setuprun2' => 'A instalação já está em execução: se você for o administrador, poderá excluir ',
+	'setuprun3' => ' para reiniciar.',
+	'writeerror' => 'Erro de escrita',
+
+	'fpuser1' => ' não é um usuário válido.
+		O nome de usuário deve ser alfanumérico e não deve conter espaços.',
+	'fpuser2' => ' não é um usuário válido.
+		O nome de usuário só pode conter letras, números e um sublinhado.',
+	'fppwd' => 'A senha deve conter pelo menos 6 caracteres e nenhum espaço.',
+	'fppwd2' => 'As senhas não correspondem.',
+	'email' => ' não é um endereço de e-mail válido.',
+	'www' => ' não é um URL válido.',
+	'error' => '<p><big>Erro!</big> 
+		Os seguintes erros ocorreram durante o processamento do formulário:</p><ul>'
+);
+
 $lang ['step1'] = array(
 	'head' => 'Bem-vindo ao FlatPress!',
 	'descr' => 'Obrigado por escolher <strong>o FlatPress</strong>.

setup/lib/main.lib.php

@@ -2,7 +2,7 @@
 $err = array();
 
 function print_done_fail($label, $bool) {
-	echo "<li>", $label . ' <strong style="color :' . (($bool) ? 'green;">DONE' : 'red;">FAILED') . '</strong><br />', "</li>\n";
+	echo "<li>", $label . ' <strong style="color: ' . (($bool) ? 'green;">DONE' : 'red;">FAILED') . '</strong><br>', "</li>\n";
 }
 
 function config_exist() {
@@ -35,7 +35,7 @@ function setupid() {
 }
 
 function getstep(&$id) {
-	global $err;
+	global $err, $lang;
 
 	$STEPS = array(
 		'locked',
@@ -54,7 +54,7 @@ function getstep(&$id) {
 		$setupid = setupid();
 
 		if (!$setupid)
-			die('Setup is running');
+			die($lang ['err'] ['setuprun1']);
 
 		if (!file_exists(SETUPTEMP_FILE)) {
 			if (empty($_POST))
@@ -64,7 +64,7 @@ function getstep(&$id) {
 		} else {
 			$x = explode(',', io_load_file(SETUPTEMP_FILE));
 			if ($x [0] != $setupid)
-				die('Setup is running: if you are the owner, you can delete ' . SETUPTEMP_FILE . ' to restart');
+				die($lang ['err'] ['setuprun2'] . SETUPTEMP_FILE . $lang ['err'] ['setuprun3']);
 			$i = intval($x [1]);
 		}
 
@@ -83,7 +83,7 @@ function check_step() {
 				io_write_file(LOCKFILE, "locked");
 			} else {
 				if ($i > 0 && !@io_write_file(SETUPTEMP_FILE, "$setupid,$i")) {
-					$err [] = 'Write error';
+					$err [] = $lang ['err'] ['writeerror'];
 				}
 			}
 		}
@@ -95,26 +95,26 @@ function check_step() {
 }
 
 function validate() {
+	global $lang;
 	$fpuser = strip_tags($_POST ['fpuser']);
 	$fppwd = $_POST ['fppwd'];
 	$fppwd2 = $_POST ['fppwd2'];
 	$email = strip_tags($_POST ['email']);
 	$www = strip_tags($_POST ['www']);
-	if (!ctype_alnum($fpuser)) {
-		$err [] = $fpuser . " is not a valid username. 
-		Username must be alphanumeric and should not contain spaces.";
+	if (!(preg_match('/^[\w]+$/u', $fpuser))) {
+		$err [] = $fpuser . $lang ['err'] ['fpuser2'];
 	}
 	if (strlen(trim(($fppwd))) < 6) {
-		$err [] = "Password must contain at least 6 non-space characters";
+		$err [] = $lang ['err'] ['fppwd'];
 	}
 	if (($fppwd) != ($fppwd2)) {
-		$err [] = "Passwords did not match";
+		$err [] = $lang ['err'] ['fppwd2'];
 	}
 	if (!(preg_match('!@.*@|\.\.|\,|\;!', $email) || preg_match('!^.+\@(\[?)[a-zA-Z0-9\.\-]+\.([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$!', $email))) {
-		$err [] = $email . " is not a valid email address";
+		$err [] = $email . $lang ['err'] ['email'];
 	}
 	if (!(preg_match('!^http(s)?://[\w-]+\.[\w-]+(\S+)?$!i', $www) || preg_match('!^http(s)?://localhost!', $www)))
-		$err [] = $www . " is not a valid URL";
+		$err [] = $www . $lang ['err'] ['www'];
 	if ($www && $www [strlen($www) - 1] != '/') {
 		$www .= '/';
 	}
@@ -145,9 +145,9 @@ function validate() {
 
 function print_err() {
 	global $err;
+	global $lang;
 	if (isset($err)) {
-		echo "<p><big>Error!</big> 
-		The following errors have been encountered processing the form:</p><ul>";
+		echo $lang ['err'] ['www'];
 		foreach ($err as $val) {
 			echo "<li>$val</li>";
 		}