From 79f4fce0864a2a67d17e1bd4fdd82af9a9e64144 Mon Sep 17 00:00:00 2001
From: Squidly271 <azawadzki@arrowgames.com>
Date: Sat, 17 Mar 2018 17:08:00 -0400
Subject: [PATCH 1/2] Docker Security: Remove <script> and <iframe>

Recursively remove any <script> or <iframe> from all elements in a template
---
 .../include/CreateDocker.php                   | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/plugins/dynamix.docker.manager/include/CreateDocker.php b/plugins/dynamix.docker.manager/include/CreateDocker.php
index 77644ddb2..f00b89fd8 100644
--- a/plugins/dynamix.docker.manager/include/CreateDocker.php
+++ b/plugins/dynamix.docker.manager/include/CreateDocker.php
@@ -374,9 +374,27 @@ function xmlToVar($xml) {
       }
     }
   }
+  xmlSecurity($out);
   return $out;
 }
 
+function xmlSecurity(&$template) {
+	foreach ($template as &$element) {
+		if ( is_array($element) ) {
+			xmlSecurity($element);
+		} else {
+			if ( is_string($element) ) {
+				$tempElement = htmlspecialchars_decode($element);
+				$tempElement = str_replace("[","<",$tempElement);
+				$tempElement = str_replace("]",">",$tempElement);
+				if ( preg_match('#<script(.*?)>(.*?)</script>#is',$tempElement) || preg_match('#<iframe(.*?)>(.*?)</iframe>#is',$tempElement) ) {
+					$element = "REMOVED";
+				}
+			}
+		}
+	}
+}
+
 function xmlToCommand($xml, $create_paths=false) {
   global $var;
   global $docroot;

From 742af14804d18fc8f1a04bcfabf9cdf59e0bbaf5 Mon Sep 17 00:00:00 2001
From: Squidly271 <azawadzki@arrowgames.com>
Date: Sat, 17 Mar 2018 17:18:19 -0400
Subject: [PATCH 2/2] Switch from tabs to spaces

---
 .../include/CreateDocker.php                  | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/plugins/dynamix.docker.manager/include/CreateDocker.php b/plugins/dynamix.docker.manager/include/CreateDocker.php
index f00b89fd8..9b3870b3d 100644
--- a/plugins/dynamix.docker.manager/include/CreateDocker.php
+++ b/plugins/dynamix.docker.manager/include/CreateDocker.php
@@ -379,20 +379,20 @@ function xmlToVar($xml) {
 }
 
 function xmlSecurity(&$template) {
-	foreach ($template as &$element) {
-		if ( is_array($element) ) {
-			xmlSecurity($element);
-		} else {
-			if ( is_string($element) ) {
-				$tempElement = htmlspecialchars_decode($element);
-				$tempElement = str_replace("[","<",$tempElement);
-				$tempElement = str_replace("]",">",$tempElement);
-				if ( preg_match('#<script(.*?)>(.*?)</script>#is',$tempElement) || preg_match('#<iframe(.*?)>(.*?)</iframe>#is',$tempElement) ) {
-					$element = "REMOVED";
-				}
-			}
-		}
-	}
+  foreach ($template as &$element) {
+    if ( is_array($element) ) {
+      xmlSecurity($element);
+    } else {
+      if ( is_string($element) ) {
+        $tempElement = htmlspecialchars_decode($element);
+        $tempElement = str_replace("[","<",$tempElement);
+        $tempElement = str_replace("]",">",$tempElement);
+        if ( preg_match('#<script(.*?)>(.*?)</script>#is',$tempElement) || preg_match('#<iframe(.*?)>(.*?)</iframe>#is',$tempElement) ) {
+          $element = "REMOVED";
+        }
+      }
+    }
+  }
 }
 
 function xmlToCommand($xml, $create_paths=false) {