From 765d3d17dab1aefd85328231612724f1d98fe5b1 Mon Sep 17 00:00:00 2001
From: James <jesse.isler@gmail.com>
Date: Tue, 5 Apr 2022 13:51:36 +0200
Subject: [PATCH] Finished the login and sterilisation

---
 confirm.php | 59 ++++++++++++++++++++++----------------------
 create.php  |  3 +++
 index.php   |  1 +
 login.php   | 71 +++++++++++++++++++++++++++++++++++++++++++++++++----
 4 files changed, 100 insertions(+), 34 deletions(-)

diff --git a/confirm.php b/confirm.php
index 71eb2f1..b0a43e3 100644
--- a/confirm.php
+++ b/confirm.php
@@ -2,10 +2,11 @@
 <html>
 <?php
 
-public function removeBrackets($input)
+function sanitizeMyThings($input)
 {
-  $output = str_replace('"', "'", $input)
-  return $output
+  $output = trim($input);
+  $output = filter_var($input, FILTER_SANITIZE_STRING);
+  return $output;
 }
 
 if (preg_match('/^[\/\w\-. ]+$/', $_POST['rolename'].'.php')){
@@ -22,12 +23,12 @@ if (preg_match('/^[\/\w\-. ]+$/', $_POST['rolename'].'.php')){
   #
 
   # This is the color defined by https://materializecss.com/color.html
-  $f_color = removeBrackets($_POST['rolecolor']." ".$_POST['rolestrength']."-".$_POST['rolemod']);
-  fwrite($rolefile, '$color = "'.$f_color.'"'.PHP_EOL);
+  $f_color = sanitizeMyThings($_POST['rolecolor']." ".$_POST['rolemod']."-".$_POST['rolestrength']);
+  fwrite($rolefile, '$color = "'.$f_color.'";'.PHP_EOL);
 
   # Text Color
-  $f_tcolor = removeBrackets($_POST['tcolor']);
-  fwrite($rolefile, '$tcolor = '.$f_tcolor.PHP_EOL);
+  $f_tcolor = sanitizeMyThings($_POST['tcolor']);
+  fwrite($rolefile, '$tcolor = "'.$f_tcolor.'-text";'.PHP_EOL);
 
 
   #
@@ -35,12 +36,12 @@ if (preg_match('/^[\/\w\-. ]+$/', $_POST['rolename'].'.php')){
   #
 
   #The Name of the Role
-  $f_name = removeBrackets($_POST['rolename']);
-  fwrite($rolefile, '$name = "'.$f_name.PHP_EOL);
+  $f_name = sanitizeMyThings($_POST['rolename']);
+  fwrite($rolefile, '$name = "'.$f_name.'";'.PHP_EOL);
 
   #The Description of the Role, HTML conform :)
-  $f_description = removeBrackets($_POST['roledesc']);
-  fwrite($rolefile,'$description = "'. $f_description.PHP_EOL);
+  $f_description = sanitizeMyThings($_POST['roledesc']);
+  fwrite($rolefile,'$description = "'. $f_description.'";'.PHP_EOL);
 
 
 
@@ -50,24 +51,24 @@ if (preg_match('/^[\/\w\-. ]+$/', $_POST['rolename'].'.php')){
   #
 
   #How To play
-  $f_howtoplay = removeBrackets($_POST['howtoplay']);
-  fwrite($rolefile, '$howtoplay = "'.$f_howtoplay.PHP_EOL);
+  $f_howtoplay = sanitizeMyThings($_POST['howtoplay']);
+  fwrite($rolefile, '$howtoplay = "'.sanitizeMyThings($f_howtoplay).'";'.PHP_EOL);
 
   #With what roles does this role play best?
-  fwrite($rolefile, '$playsbestwith = "<ul>'.PHP_EOL);
+  fwrite($rolefile, '$playsbestwith = "<ul>;'.PHP_EOL);
 
-    foreach($_POST['goodRoles'] as removeBrackets($selectedOption)) {
-    fwrite($rolefile, '<li>'.$selectedOption.'</li>'.PHP_EOL);
+    foreach($_POST['goodRoles'] as $selectedOption) {
+    fwrite($rolefile, '<li>'.sanitizeMyThings($selectedOption).'</li>'.PHP_EOL);
   };
-  fwrite($rolefile, '</ul>;"'.PHP_EOL);
+  fwrite($rolefile, '</ul>";'.PHP_EOL);
 
 
   #Convars
   $f_convars = '$convars = "Normal Role Convars (also found in ULX):
-  <code>'.removeBrackets($_POST['gconvars'].'</code>
+  <code>'.sanitizeMyThings($_POST['gconvars']).'</code>
 
   Rolespecific Convars:
-  <code>'.removeBrackets($_POST['cconvars']).'</code>"';
+  <code>'.sanitizeMyThings($_POST['cconvars']).'</code>";';
 
   fwrite($rolefile, $f_convars.PHP_EOL);
 
@@ -77,21 +78,21 @@ if (preg_match('/^[\/\w\-. ]+$/', $_POST['rolename'].'.php')){
   #
 
   #The Steam URL to your addon
-  $f_steam = removeBrackets($_POST['steam']);
-  fwrite($rolefile, '$steam = "'.$f_steam.'"'.PHP_EOL);
+  $f_steam = sanitizeMyThings($_POST['steam']);
+  fwrite($rolefile, '$steam = "'.$f_steam.'";'.PHP_EOL);
   #The Source URL to your addon
-  $f_source = removeBrackets($_POST['source']);
-  fwrite($rolefile, '$source = "'.$f_source.'"'.PHP_EOL);
+  $f_source = sanitizeMyThings($_POST['source']);
+  fwrite($rolefile, '$source = "'.$f_source.'";'.PHP_EOL);
 
   #Creator of the Addon
-  $f_author = removeBrackets($_POST['creator']);
-  fwrite($rolefile, '$author = "'.$f_author.'"'.PHP_EOL);
+  $f_author = sanitizeMyThings($_POST['creator']);
+  fwrite($rolefile, '$author = "'.$f_author.'";'.PHP_EOL);
   #Creatorlink
-  $f_authorurl = removeBrackets($_POST['creatorurl']);
-  fwrite($rolefile, '$authorurl = "'.$f_authorurl.'"'.PHP_EOL);
+  $f_authorurl = sanitizeMyThings($_POST['creatorurl']);
+  fwrite($rolefile, '$authorurl = "'.$f_authorurl.'";'.PHP_EOL);
   # Credittext (can use the above variables)
-  $f_ctext = removeBrackets($_POST['credits']);
-  fwrite($rolefile, '$ctext = "'.$f_ctext.'"'.PHP_EOL);
+  $f_ctext = sanitizeMyThings($_POST['credits']);
+  fwrite($rolefile, '$ctext = "'.$f_ctext.'";'.PHP_EOL);
 
 fwrite($rolefile, '?>');
 fclose($rolefile);
diff --git a/create.php b/create.php
index 654380f..e71d0d9 100644
--- a/create.php
+++ b/create.php
@@ -1,3 +1,6 @@
+<?php
+if( empty( $runningFileName ) ) die("Cannot access this page directly");
+?>
 <!doctype html>
 <html lang="en">
   <head>
diff --git a/index.php b/index.php
index e7ed548..4900fb2 100644
--- a/index.php
+++ b/index.php
@@ -46,6 +46,7 @@
               </div>
             </li>
             <li><a href="https://discord.gg/Npcbb4W">Official TTT2 Discord</a></li>
+            <li><a href="login.php">Create your own! <b>[BETA]</b></a></li>
             <li><div class="divider"></div></li>
             <li><a class="subheader">Roles</a></li>
 
diff --git a/login.php b/login.php
index deeb78a..371fddf 100644
--- a/login.php
+++ b/login.php
@@ -6,19 +6,80 @@ $pass = @$_POST['pass'];
 if($user == "admin"
 && $pass == "soup")
 {
+        $runningFileName = "login.php";
         include("create.php");
 }
 else
 {
+?>
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>TTT2 Role Adder</title>
+  <meta name="description" content="Add a new TTT2 Role">
+  <meta name="author" content="James">
+  <meta property="og:title" content="TTT2 Role Adder">
+  <meta property="og:type" content="website">
+  <meta property="og:url" content="https://ttt.james-things.com">
+  <meta property="og:description" content="All TTT2 Roles documented halfheartedly">
+  <meta property="og:image" content="https://e7.pngegg.com/pngimages/710/403/png-clipart-the-embodiment-of-scarlet-devil-team-shanghai-alice-video-game-banjo-tooie-mario-luigi-partners-in-time-marisa-logo-computer-wallpaper.png">
+  <link rel="icon" href="/favicon.ico">
+  <link rel="icon" href="/favicon.svg" type="image/svg+xml">
+  <link rel="apple-touch-icon" href="/apple-touch-icon.png">
+  <!--MATERIALIZE-->
+  <!--Import jQuery-->
+  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
+  <!--Import Google Icon Font-->
+  <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
+  <!--Import materialize.css-->
+  <link type="text/css" rel="stylesheet" href="css/materialize.min.css" media="screen,projection" />
+  <!--My Custom Stylesheet-->
+  <link rel="stylesheet" href="css/styles.css">
+</head>
+<body>
+       <div class="container center_all_things">
+  <div class="row">
+    <div class="col s12 blurry">
+      <div class="card-panel card white">
+        <?php
+
     if(isset($_POST))
     {
-echo '
+      ?>
+            <div class="row">
             <form method="POST" action="login.php">
-            User <input type="text" name="user"></input><br/>
-            Pass <input type="password" name="pass"></input><br/>
-            <input type="submit" name="submit" value="Go"></input>
+
+              <div class="input-field col s6">
+            <input type="text" name="user"></input><br/>
+            <label for="user">Name</label>
+            </div>
+            <div class="input-field col s6">
+            <input type="password" name="pass"></input><br/>
+            <label for="pass">Password</label>
+            </div>
+            <button class="btn waves-effect waves-light col s12" type="submit" value="Login" name="submit">Submit <i class="material-icons right">send</i>
+            </button>
             </form>
-            ';
+            </div>
+
+            </div>
+            </div>
+            </div>
+            </div>
+            <script>
+            $(document).ready(function() {
+              $('select').formSelect();
+              $('.collapsible').collapsible();
+              M.updateTextFields();
+            });
+            </script>
+
+            <script type="text/javascript" src="js/materialize.min.js"></script>
+            </body>
+            </html>
+    <?php
     }
 }
 ?>