From affe02ec044649795496ffe63bf8eb32b1a1683f Mon Sep 17 00:00:00 2001
From: tracer <tracer@24unix.net>
Date: Thu, 27 Oct 2022 15:42:43 +0200
Subject: [PATCH] added htmlspecialchars to visible fields

---
 src/Repository/UserRepository.php | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/Repository/UserRepository.php b/src/Repository/UserRepository.php
index 77b4da3..69d36ba 100644
--- a/src/Repository/UserRepository.php
+++ b/src/Repository/UserRepository.php
@@ -38,7 +38,13 @@ class UserRepository
 
             $statement->execute();
             while ($result = $statement->fetch(mode: PDO::FETCH_ASSOC)) {
-                $user = new User(nick: $result['nick'], password: $result['password'], first: $result['first'], last: $result['last'], id: $result['id'], isAdmin: $result['is_admin']);
+                $user = new User(
+                    nick: htmlspecialchars(string: $result['nick']),
+                    password: $result['password'],
+                    first: htmlspecialchars(string: $result['first']),
+                    last: htmlspecialchars(string: $result['last']),
+                    id: $result['id'],
+                    isAdmin: $result['is_admin']);
                 $users[] = $user;
             }
             return $users;
@@ -60,7 +66,13 @@ class UserRepository
             $statement->bindParam(param: ':id', var: $id);
             $statement->execute();
             if ($result = $statement->fetch(mode: PDO::FETCH_ASSOC)) {
-                return new User(nick: $result['nick'], password: $result['password'], first: $result['first'], last: $result['last'], id: $result['id'], isAdmin: $result['is_admin']);
+                return new User(
+                    nick: htmlspecialchars(string: $result['nick']),
+                    password: $result['password'],
+                    first: htmlspecialchars(string: $result['first']),
+                    last: htmlspecialchars(string: $result['last']),
+                    id: $result['id'],
+                    isAdmin: $result['is_admin']);
             } else {
                 return null;
             }
@@ -83,7 +95,13 @@ class UserRepository
             $statement->bindParam(param: ':nick', var: $nick);
             $statement->execute();
             if ($result = $statement->fetch(mode: PDO::FETCH_ASSOC)) {
-                return new User(nick: $result['nick'], password: $result['password'], first: $result['first'], last: $result['last'], id: $result['id'], isAdmin: $result['is_admin']);
+                return new User(
+                    nick: htmlspecialchars(string: $result['nick']),
+                    password: $result['password'],
+                    first: htmlspecialchars(string: $result['first']),
+                    last: htmlspecialchars(string: $result['last']),
+                    id: $result['id'],
+                    isAdmin: $result['is_admin']);
             } else {
                 return null;
             }