From ebb0e041ca771fac2dc46ac93bafa77faa120a36 Mon Sep 17 00:00:00 2001
From: nathansmith117 <nathansmith117@sdf.org>
Date: Mon, 20 May 2024 22:58:14 -0600
Subject: Added easter egg for hackers

---
 blahaj_info.json        |  1 +
 cgi-bin/blahaj_list.cgi | 22 +++++++++++++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 blahaj_info.json

diff --git a/blahaj_info.json b/blahaj_info.json
new file mode 100644
index 0000000..2bc30e1
--- /dev/null
+++ b/blahaj_info.json
@@ -0,0 +1 @@
+[{"name": "</h2><p>hi there</p><h2>", "info": "", "date": "May, 20 2024"}, {"name": "</h2><script>alert(\"hi\");</script><h1>", "info": "", "date": "May, 20 2024"}, {"name": "<h2></h2><script>alert(\"owo\");</script><h2>", "info": "", "date": "May, 20 2024"}, {"name": "hi", "info": "</p><script>alert(\"hi\");</script>", "date": "May, 20 2024"}, {"name": "sdfdsfdf", "info": "", "date": "May, 20 2024"}]
\ No newline at end of file
diff --git a/cgi-bin/blahaj_list.cgi b/cgi-bin/blahaj_list.cgi
index e28b626..d585034 100755
--- a/cgi-bin/blahaj_list.cgi
+++ b/cgi-bin/blahaj_list.cgi
@@ -3,11 +3,27 @@
 import cgi
 import json
 
+from bs4 import BeautifulSoup
+
 # Worse code here. Prepare your eyes for this monster.
 # Its almost as bad as programming anything in php or even worse javascript.
 
 print('Content-Type: text/html')
 
+# Mode for letting peope inject stuff.
+form = cgi.FieldStorage()
+unsafe_mode = form.getvalue("unsafe_mode") == "on"
+
+# Hehehe
+def check_for_injection(value):
+    if bool(BeautifulSoup(value, "html.parser").find()) and not unsafe_mode:
+        return """
+            This silly silly tried to hack this website lmao.
+            <a href=\"?unsafe_mode=on\">Click to see the website with the hack</a>
+        """
+        
+    return value
+
 def create_blahaj_tables():
     try:
         tables_html = """
@@ -45,9 +61,9 @@ def create_blahaj_tables():
                     </table>
                 """
 
-                current_table = current_table.replace("put_name_here", blahaj["name"])
-                current_table = current_table.replace("put_info_here", blahaj["info"])
-                current_table = current_table.replace("put_date_here", blahaj["date"])
+                current_table = current_table.replace("put_name_here", check_for_injection(blahaj["name"]))
+                current_table = current_table.replace("put_info_here", check_for_injection(blahaj["info"]))
+                current_table = current_table.replace("put_date_here", check_for_injection(blahaj["date"]))
 
                 tables_html += current_table
 
-- 
cgit v1.2.3