From 8a6798a2276026ec8fe06b0056607a6e461cf330 Mon Sep 17 00:00:00 2001
From: Dag <me@dvikan.no>
Date: Fri, 9 Feb 2024 07:27:16 +0100
Subject: [PATCH] fix: escape token for html context (#3966)

---
 README.md                      |  6 +++---
 bridges/AnnasArchiveBridge.php |  6 ++++--
 bridges/BookMyShowBridge.php   | 28 +++++++++++++++-------------
 config/nginx.conf              |  1 +
 lib/BridgeCard.php             |  5 ++---
 5 files changed, 25 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index cadba3b9..f8d08058 100644
--- a/README.md
+++ b/README.md
@@ -104,6 +104,7 @@ server {
     server_name example.com;
     access_log /var/log/nginx/rss-bridge.access.log;
     error_log /var/log/nginx/rss-bridge.error.log;
+    log_not_found off;
 
     # Intentionally not setting a root folder here
 
@@ -115,23 +116,22 @@ server {
         alias /var/www/rss-bridge/static/;
     }
 
-    # Pass off to php-fpm only when location is exactly /
+    # Pass off to php-fpm when location is exactly /
     location = / {
         root /var/www/rss-bridge/;
         include snippets/fastcgi-php.conf;
+        fastcgi_read_timeout 45s;
         fastcgi_pass unix:/run/php/rss-bridge.sock;
     }
 
     # Reduce spam
     location = /favicon.ico {
         access_log off;
-        log_not_found off;
     }
 
     # Reduce spam
     location = /robots.txt {
         access_log off;
-        log_not_found off;
     }
 }
 ```
diff --git a/bridges/AnnasArchiveBridge.php b/bridges/AnnasArchiveBridge.php
index e8a1e8c4..acb943b4 100644
--- a/bridges/AnnasArchiveBridge.php
+++ b/bridges/AnnasArchiveBridge.php
@@ -126,7 +126,8 @@ class AnnasArchiveBridge extends BridgeAbstract
             return;
         }
 
-        foreach ($list->find('.w-full > .mb-4 > div > a') as $element) {
+        $elements = $list->find('.w-full > .mb-4 > div > a');
+        foreach ($elements as $element) {
             $item = [];
             $item['title'] = $element->find('h3', 0)->plaintext;
             $item['author'] = $element->find('div.italic', 0)->plaintext;
@@ -134,7 +135,8 @@ class AnnasArchiveBridge extends BridgeAbstract
             $item['content'] = $element->plaintext;
             $item['uid'] = $item['uri'];
 
-            if ($item_html = getSimpleHTMLDOMCached($item['uri'])) {
+            $item_html = getSimpleHTMLDOMCached($item['uri'], 86400 * 20);
+            if ($item_html) {
                 $item_html = defaultLinkTo($item_html, self::URI);
                 $item['content'] .= $item_html->find('main img', 0);
                 $item['content'] .= $item_html->find('main .mt-4', 0); // Summary
diff --git a/bridges/BookMyShowBridge.php b/bridges/BookMyShowBridge.php
index 7064df91..6ad02fe2 100644
--- a/bridges/BookMyShowBridge.php
+++ b/bridges/BookMyShowBridge.php
@@ -1218,14 +1218,15 @@ EOT;
         $table = $this->generateEventDetailsTable($event);
 
         $imgsrc = $event['BannerURL'];
+        $FShareURL = $event['FShareURL'];
 
         return <<<EOT
-		<img title="Event Banner URL" src="$imgsrc"></img>
-		<br>
-		$table
-		<br>
-		More Details are available on the <a href="${event['FShareURL']}">BookMyShow website</a>.
-EOT;
+        <img title="Event Banner URL" src="$imgsrc">
+        <br>
+        $table
+        <br>
+        More Details are available on the <a href="$FShareURL">BookMyShow website</a>.
+        EOT;
     }
 
     /**
@@ -1292,14 +1293,15 @@ EOT;
 
         $synopsis = preg_replace(self::SYNOPSIS_REGEX, '', $data['EventSynopsis']);
 
+        $eventTrailerURL = $data['EventTrailerURL'];
         return <<<EOT
-		<img title="Movie Poster" src="$imgsrc"></img>
-		<div>$table</div>
-		<p>$innerHtml</p>
-		<p>${synopsis}</p>
-		More Details are available on the <a href="$url">BookMyShow website</a> and a trailer is available
-		<a href="${data['EventTrailerURL']}" title="Trailer URL">here</a>
-EOT;
+        <img title="Movie Poster" src="$imgsrc"></img>
+        <div>$table</div>
+        <p>$innerHtml</p>
+        <p>$synopsis</p>
+        More Details are available on the <a href="$url">BookMyShow website</a> and a trailer is available
+        <a href="$eventTrailerURL" title="Trailer URL">here</a>
+        EOT;
     }
 
     /**
diff --git a/config/nginx.conf b/config/nginx.conf
index f0f189e7..c65f8e00 100644
--- a/config/nginx.conf
+++ b/config/nginx.conf
@@ -13,6 +13,7 @@ server {
 
     location ~ \.php$ {
         include snippets/fastcgi-php.conf;
+        fastcgi_read_timeout 45s;
         fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
     }
 }
diff --git a/lib/BridgeCard.php b/lib/BridgeCard.php
index e5456f33..c4677b9d 100644
--- a/lib/BridgeCard.php
+++ b/lib/BridgeCard.php
@@ -104,9 +104,8 @@ final class BridgeCard
             <input type="hidden" name="bridge" value="{$bridgeClassName}" />
         EOD;
 
-        if ($token) {
-            // todo: maybe escape the token?
-            $form .= sprintf('<input type="hidden" name="token" value="%s" />', $token);
+        if (Configuration::getConfig('authentication', 'token') && $token) {
+            $form .= sprintf('<input type="hidden" name="token" value="%s" />', e($token));
         }
 
         if (!empty($contextName)) {