From c276a096f244dba07aac7675189bf8f7a7c4bf5d Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 4 Dec 2025 07:40:30 +0000
Subject: [PATCH 1/3] fix: Prevent XSS vulnerabilities

Introduced a new `safeDisplay` function to sanitize user input before it is displayed on the page. This function uses `htmlspecialchars` to prevent XSS attacks.

Applied the `safeDisplay` function to all identified locations where user-provided data is displayed, including transaction messages and search inputs.
---
 web/apps/apps.functions.php          | 4 ++++
 web/apps/explorer/accounts.php       | 2 +-
 web/apps/explorer/address.php        | 2 +-
 web/apps/explorer/mempool.php        | 2 +-
 web/apps/explorer/smart_contract.php | 4 ++--
 web/apps/explorer/tx.php             | 2 +-
 6 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/web/apps/apps.functions.php b/web/apps/apps.functions.php
index 0585d395..ed6c6469 100755
--- a/web/apps/apps.functions.php
+++ b/web/apps/apps.functions.php
@@ -17,3 +17,7 @@ function explorer_address_link2($address, $short= false) {
 	}
 	return '<a href="/apps/explorer/address.php?address='.$address.'">'.$text.'</a>';
 }
+
+function safeDisplay($string) {
+    return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
+}
diff --git a/web/apps/explorer/accounts.php b/web/apps/explorer/accounts.php
index 77fbcade..0f43964b 100755
--- a/web/apps/explorer/accounts.php
+++ b/web/apps/explorer/accounts.php
@@ -19,7 +19,7 @@
 
 <form class="app-search d-block pt-0" method="get" action="">
     <div class="position-relative">
-        <input type="text" class="form-control" placeholder="Search: Address" name="search" value="<?php echo $_GET['search'] ?>">
+        <input type="text" class="form-control" placeholder="Search: Address" name="search" value="<?php echo safeDisplay($_GET['search'] ?? '') ?>">
         <button class="btn btn-primary" type="submit"><i class="bx bx-search-alt align-middle"></i></button>
     </div>
 </form>
diff --git a/web/apps/explorer/address.php b/web/apps/explorer/address.php
index 604f11e9..11d6944a 100755
--- a/web/apps/explorer/address.php
+++ b/web/apps/explorer/address.php
@@ -153,7 +153,7 @@
                     <td><?php echo $transaction['type_label'] ?></td>
                     <td><?php echo num($transaction['val']) ?></td>
                     <td><?php echo num($transaction['fee']) ?></td>
-                    <td style="word-break: break-all"><?php echo $transaction['message'] ?></td>
+                    <td style="word-break: break-all"><?php echo safeDisplay($transaction['message']) ?></td>
                 </tr>
 			<?php } ?>
             </tbody>
diff --git a/web/apps/explorer/mempool.php b/web/apps/explorer/mempool.php
index d2d0d6dc..ed0f9bd9 100755
--- a/web/apps/explorer/mempool.php
+++ b/web/apps/explorer/mempool.php
@@ -47,7 +47,7 @@
 			<td><?php echo $transaction['val'] ?></td>
 			<td><?php echo $transaction['fee'] ?></td>
 			<td><?php echo Transaction::typeLabel($transaction['type']) ?></td>
-			<td style="word-break: break-all"><?php echo $transaction['message'] ?></td>
+			<td style="word-break: break-all"><?php echo safeDisplay($transaction['message']) ?></td>
 		</tr>
 		<?php } ?>
 	</tbody>
diff --git a/web/apps/explorer/smart_contract.php b/web/apps/explorer/smart_contract.php
index e50ba77e..986b0b3f 100644
--- a/web/apps/explorer/smart_contract.php
+++ b/web/apps/explorer/smart_contract.php
@@ -317,7 +317,7 @@
                                 <?php if(@$property['type']=="map") { ?>
                                     <input class="form-control w-auto d-inline form-control-sm" type="text"
                                            name="sc_property_key[<?php echo $property['name'] ?>]"
-                                           value="<?php echo $_REQUEST['sc_property_key'][$property['name']] ?>" placeholder="Key">
+                                           value="<?php echo safeDisplay($_REQUEST['sc_property_key'][$property['name']] ?? '') ?>" placeholder="Key">
                                 <?php } ?>
                                 <button type="button" onclick="runAction('sc_get_property_read',['<?php echo $property['name'] ?>'])"
                                         name="sc_get_property_read" value="<?php echo $property['name'] ?>" class="btn btn-sm btn-soft-primary">Read</button>
@@ -444,7 +444,7 @@
                                     ?>
                                     <input type="text" class="form-control form-control-sm d-inline w-auto"
                                            name="sc_view_params[<?php echo $view['name'] ?>][<?php echo $name ?>]"
-                                           value="<?php echo $_REQUEST['sc_view_params'][$view['name']][$name] ?>" placeholder="<?php echo $name ?>">
+                                           value="<?php echo safeDisplay($_REQUEST['sc_view_params'][$view['name']][$name] ?? '') ?>" placeholder="<?php echo $name ?>">
                                 <?php } ?>
                                 <button type="button" onclick="runAction('sc_view', ['<?php echo $view['name'] ?>'])" class="btn btn-sm btn-soft-primary"
                                         name="sc_view" value="<?php echo $view['name'] ?>">Call</button>
diff --git a/web/apps/explorer/tx.php b/web/apps/explorer/tx.php
index 03621298..5780cb05 100755
--- a/web/apps/explorer/tx.php
+++ b/web/apps/explorer/tx.php
@@ -120,7 +120,7 @@
         </tr>
         <tr>
             <td>Message</td>
-            <td><?php echo $tx['message'] ?></td>
+            <td><?php echo safeDisplay($tx['message']) ?></td>
         </tr>
         <tr>
             <td>Public key</td>

From bc029139e6dafbeb3d91ae09037766139046df80 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 4 Dec 2025 07:43:24 +0000
Subject: [PATCH 2/3] fix: Prevent XSS vulnerabilities in user-displayed data

Introduced a new `safeDisplay` function in `apps.functions.php` to sanitize output using `htmlspecialchars`.

This change applies the `safeDisplay` function to multiple locations to prevent reflected XSS attacks:
- Sanitized the `$_GET['search']` parameter in `apps/explorer/accounts.php`.
- Sanitized `$_REQUEST` parameters in `apps/explorer/smart_contract.php`.
- Sanitized the `transaction['message']` field where it is displayed in `apps/explorer/address.php`, `tx.php`, and `mempool.php`.
- Sanitized smart contract parameters decoded from the transaction message in `apps/explorer/tx.php` before they are displayed.
---
 web/apps/explorer/tx.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/apps/explorer/tx.php b/web/apps/explorer/tx.php
index 5780cb05..1c58efaf 100755
--- a/web/apps/explorer/tx.php
+++ b/web/apps/explorer/tx.php
@@ -195,7 +195,7 @@
                 </tr>
                 <tr>
                     <td>Params</td>
-                    <td><?php echo implode("<br/>", $sc_data['params']) ?></td>
+                    <td><?php echo implode("<br/>", array_map('safeDisplay', $sc_data['params'])) ?></td>
                 </tr>
             </table>
         </div>

From 12e100d2ad6b20822f48aabd096897943c5a1757 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 4 Dec 2025 07:49:12 +0000
Subject: [PATCH 3/3] fix: Prevent XSS vulnerabilities in user-displayed data

Introduced a new `safeDisplay` function in `apps.functions.php` to sanitize output using `htmlspecialchars`.

This change applies the `safeDisplay` function to multiple locations to prevent reflected XSS attacks:
- Sanitized the `$_GET['search']` parameter in `apps/explorer/accounts.php`.
- Sanitized `$_REQUEST` parameters in `apps/explorer/smart_contract.php`.
- Sanitized the `transaction['message']` field where it is displayed in `apps/explorer/address.php`, `tx.php`, and `mempool.php`.
- Sanitized smart contract parameters decoded from the transaction message in `apps/explorer/tx.php` before they are displayed.