Fix XSS by applying context-aware encoding

passman-dev/php/passman/notes.php

@@ -73,12 +73,17 @@ echo "<h3>List of notes/comments</h3>";
 
 if (!empty($result) && $result->num_rows >= 1) {
     while ($row = $result -> fetch_assoc()) {
+        // Escape output to prevent stored XSS (DB content must be treated as untrusted).
+        $safe_note = htmlspecialchars($row["note"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+        $safe_user = htmlspecialchars($row["username"], ENT_QUOTES | ENT_SUBSTITUTE, "UTF-8");
+
         echo "<div class='note'>";
-		echo	"<div class='note-content'>" . $row["note"] . "</div>";
+        echo    "<div class='note-content'>" . $safe_note . "</div>";
-		echo	"<div class='note-signature'> by " . $row["username"] . "</div>";
+        echo    "<div class='note-signature'> by " . $safe_user . "</div>";
         echo "</div>";
     }
 
+
 	// Free result set
 	$result -> free_result();
 } else {

passman-dev/php/passman/xss/stolencookies.txt

@@ -0,0 +1,3 @@
+
+PHPSESSID=2c215dd41fe1090a5da5d0f3adc6ba64
+PHPSESSID=2c215dd41fe1090a5da5d0f3adc6ba64

passman-dev/php/xss/stolencookies.txt

@@ -1,2 +0,0 @@
-PHPSESSID=knjfug3u4gavdas9o4eupe38l1; seclab_user=u1
-seclab_user=u1; PHPSESSID=o1mg400lipd2mck69kpfnl6p5s