From 526f2b31824605899a88d46128192d19ddd701ca Mon Sep 17 00:00:00 2001
From: Habu <habu@users.sourceforge.jp>
Date: Fri, 30 Mar 2018 21:30:57 +0900
Subject: [PATCH] =?utf8?q?[fix]=E3=82=BB=E3=82=AD=E3=83=A5=E3=83=AA?=
 =?utf8?q?=E3=83=86=E3=82=A3=E5=AF=BE=E7=AD=96=E3=81=AE=E3=81=9F=E3=82=81?=
 =?utf8?q?=E5=90=8D=E5=89=8D=E3=81=A8=E6=AD=BB=E5=9B=A0=E6=AC=84=E3=81=AFH?=
 =?utf8?q?TML=E7=89=B9=E6=AE=8A=E6=96=87=E5=AD=97=E3=82=92=E3=82=A8?=
 =?utf8?q?=E3=82=B9=E3=82=B1=E3=83=BC=E3=83=97=E3=81=99=E3=82=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 score/killer_ranking.php |  4 +++-
 score/score_ranking.php  | 13 +++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/score/killer_ranking.php b/score/killer_ranking.php
index 5d2674d..196c809 100644
--- a/score/killer_ranking.php
+++ b/score/killer_ranking.php
@@ -6,6 +6,7 @@ ini_set('error_log', 'errors/'.pathinfo(__FILE__, PATHINFO_FILENAME).'.log');
 
 ini_set('zlib.output_compression', 'On');
 
+require_once "common.inc";
 require_once "db_common.inc";
 require_once "web_template.inc";
 
@@ -39,11 +40,12 @@ EOM
 fwrite($fp, "<tboby>\n");
 foreach ($killers as $k) {
     //$freeze = $k['killer_count_freeze'] > 0 ? "(".$k['killer_count_freeze'].")" : "";
+    $killer_name = h($k['killer_name']);
     fwrite($fp, <<<EOM
 <tr>
 <td class="number">{$k['killer_count_total']}</td>
 <td class="number">{$k['killer_count_freeze']}</td>
-<td>{$k['killer_name']}</td>
+<td>$killer_name</td>
 </tr>
 
 EOM
diff --git a/score/score_ranking.php b/score/score_ranking.php
index f69f994..7ad8434 100644
--- a/score/score_ranking.php
+++ b/score/score_ranking.php
@@ -4,6 +4,7 @@
 ini_set('log_errors', 'On');
 ini_set('error_log', 'errors/'.pathinfo(__FILE__, PATHINFO_FILENAME).'.log');
 
+require_once "common.inc";
 require_once "db_common.inc";
 require_once "dump_file.inc";
 require_once "web_template.inc";
@@ -119,10 +120,9 @@ EOM
         $realms = isset($score['realms_name']) ? "(".$score['realms_name'].")" : "";
         $dumpfile = new DumpFile($score['score_id']);
 
+        $name = h("{$score['personality_name']}{$score['name']}");
         if ($dumpfile->exists('dumps', 'txt')) {
-            $name = "<a href=\"show_dump.php?score_id={$score['score_id']}\">{$score['personality_name']}{$score['name']}</a>";
-        } else {
-            $name = "{$score['personality_name']}{$score['name']}";
+            $name = "<a href=\"show_dump.php?score_id={$score['score_id']}\">{$name}</a>";
         }
         fwrite($fp, <<<EOM
 <tr>
@@ -136,12 +136,13 @@ EOM
 
 EOM
         );
+        $death_reason = h($score['death_reason']);
         if ($dumpfile->exists('screens', 'html')) {
-            fwrite($fp, "<td><a href=\"show_screen.php?score_id={$score['score_id']}\">{$score['death_reason']}</a>");
+            fwrite($fp, "<td><a href=\"show_screen.php?score_id={$score['score_id']}\">{$death_reason}</a>");
         } else {
-            fwrite($fp, "<td>{$score['death_reason']}");
+            fwrite($fp, "<td>{$death_reason}");
         }
-        fwrite($fp, "<br>({$depth}{$score['version']})</td>\n".
+        fwrite($fp, "<br>({$depth}".h($score['version']).")</td>\n".
                "</tr>\n");
     }
     fwrite($fp, "</tbody>\n");
-- 
2.11.0