attogram · google-labs-jules · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/web/apps/apps.functions.php b/web/apps/apps.functions.php
@@ -17,3 +17,7 @@ function explorer_address_link2($address, $short= false) {
 	}
 	return '<a href="/apps/explorer/address.php?address='.$address.'">'.$text.'</a>';
 }
+
+function safeDisplay($string) {
+    return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
+}
diff --git a/web/apps/explorer/accounts.php b/web/apps/explorer/accounts.php
@@ -19,7 +19,7 @@
 
 <form class="app-search d-block pt-0" method="get" action="">
     <div class="position-relative">
-        <input type="text" class="form-control" placeholder="Search: Address" name="search" value="<?php echo $_GET['search'] ?>">
+        <input type="text" class="form-control" placeholder="Search: Address" name="search" value="<?php echo safeDisplay($_GET['search'] ?? '') ?>">
         <button class="btn btn-primary" type="submit"><i class="bx bx-search-alt align-middle"></i></button>
     </div>
 </form>

diff --git a/web/apps/explorer/address.php b/web/apps/explorer/address.php
@@ -153,7 +153,7 @@
                     <td><?php echo $transaction['type_label'] ?></td>
                     <td><?php echo num($transaction['val']) ?></td>
                     <td><?php echo num($transaction['fee']) ?></td>
-                    <td style="word-break: break-all"><?php echo $transaction['message'] ?></td>
+                    <td style="word-break: break-all"><?php echo safeDisplay($transaction['message']) ?></td>
                 </tr>
 			<?php } ?>
             </tbody>

diff --git a/web/apps/explorer/mempool.php b/web/apps/explorer/mempool.php
@@ -47,7 +47,7 @@
 			<td><?php echo $transaction['val'] ?></td>
 			<td><?php echo $transaction['fee'] ?></td>
 			<td><?php echo Transaction::typeLabel($transaction['type']) ?></td>
-			<td style="word-break: break-all"><?php echo $transaction['message'] ?></td>
+			<td style="word-break: break-all"><?php echo safeDisplay($transaction['message']) ?></td>
 		</tr>
 		<?php } ?>
 	</tbody>

diff --git a/web/apps/explorer/smart_contract.php b/web/apps/explorer/smart_contract.php
@@ -317,7 +317,7 @@
                                 <?php if(@$property['type']=="map") { ?>
                                     <input class="form-control w-auto d-inline form-control-sm" type="text"
                                            name="sc_property_key[<?php echo $property['name'] ?>]"
-                                           value="<?php echo $_REQUEST['sc_property_key'][$property['name']] ?>" placeholder="Key">
+                                           value="<?php echo safeDisplay($_REQUEST['sc_property_key'][$property['name']] ?? '') ?>" placeholder="Key">
                                 <?php } ?>
                                 <button type="button" onclick="runAction('sc_get_property_read',['<?php echo $property['name'] ?>'])"
                                         name="sc_get_property_read" value="<?php echo $property['name'] ?>" class="btn btn-sm btn-soft-primary">Read</button>
@@ -444,7 +444,7 @@
                                     ?>
                                     <input type="text" class="form-control form-control-sm d-inline w-auto"
                                            name="sc_view_params[<?php echo $view['name'] ?>][<?php echo $name ?>]"
-                                           value="<?php echo $_REQUEST['sc_view_params'][$view['name']][$name] ?>" placeholder="<?php echo $name ?>">
+                                           value="<?php echo safeDisplay($_REQUEST['sc_view_params'][$view['name']][$name] ?? '') ?>" placeholder="<?php echo $name ?>">
                                 <?php } ?>
                                 <button type="button" onclick="runAction('sc_view', ['<?php echo $view['name'] ?>'])" class="btn btn-sm btn-soft-primary"
                                         name="sc_view" value="<?php echo $view['name'] ?>">Call</button>

diff --git a/web/apps/explorer/tx.php b/web/apps/explorer/tx.php
@@ -120,7 +120,7 @@
         </tr>
         <tr>
             <td>Message</td>
-            <td><?php echo $tx['message'] ?></td>
+            <td><?php echo safeDisplay($tx['message']) ?></td>
         </tr>
         <tr>
             <td>Public key</td>
@@ -195,7 +195,7 @@
                 </tr>
                 <tr>
                     <td>Params</td>
-                    <td><?php echo implode("<br/>", $sc_data['params']) ?></td>
+                    <td><?php echo implode("<br/>", array_map('safeDisplay', $sc_data['params'])) ?></td>
                 </tr>
             </table>
         </div>