From 0b57508a2bd373933c10f06911e5274efbce0f1f Mon Sep 17 00:00:00 2001
From: "Nicolas A. Tonne" <nixatto@gmail.com>
Date: Thu, 12 Feb 2015 22:27:59 +0100
Subject: [PATCH] No special chars in chan URL

---
 index.php      | 2 +-
 php/change.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.php b/index.php
index a9bc15c9..7e48401f 100755
--- a/index.php
+++ b/index.php
@@ -2,7 +2,7 @@
     if(isset($_GET['chan'])) header('Location: '.$_GET['chan']);
     $list = explode("/", htmlspecialchars(strtolower($_SERVER["REQUEST_URI"])));
     if($list[1]==""||!isset($list[1])||count($list)<=1){$list="";include('php/nochan.php');die();}
-    else $list=$list[1];
+    else $list=preg_replace('/[^\da-z]/i', '', urldecode($list[1]));
 ?>
 
 <html xmlns="http://www.w3.org/1999/xhtml"
diff --git a/php/change.php b/php/change.php
index d7c0e542..99bb6702 100755
--- a/php/change.php
+++ b/php/change.php
@@ -5,7 +5,7 @@ $guid=substr(base64_encode(crc32($_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_AD
 //save or delete(oid)                                             //getting the list we are in
 $list = explode("/", htmlspecialchars(strtolower($_SERVER["REQUEST_URI"])));
 if($list[1]==""||!isset($list[1])||count($list)<=1)$list="videos";
-else $list=$list[1];
+else $list = preg_replace('/[^\da-z]/i', '', urldecode($list[1]));
 
 $list="../lists/".$list.".json";                                   //actually setting the list for the target. Under is the array for an empty list being created
 $array = array("nowPlaying" => array("30H2Z8Lr-4c" => array("id" => "30H2Z8Lr-4c", "title" => "Empty Channel, search to add a video")), "songs" => array(), "conf" => array("startTime" => time(), "views" => array(), "skips" => array(), "vote" => "false", "addsongs" => "false", "longsongs" => "true", "frontpage" => "true", "allvideos" => "true", "removeplay" => "false", "adminpass" => ""));