From 3e2fd5d620097233ac74f03b8e57993768365c6e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 22 Nov 2025 22:43:08 +0000
Subject: [PATCH] Add XSS protection by escaping all HTML output

Escape all parameter keys, captions, descriptions, option values, and defaults before inserting into HTML to prevent XSS vulnerabilities from XML configuration data.

Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
---
 modules/billing/docs/rust/index.php | 49 +++++++++++++++++++++++++++++
 tools/generate_game_docs.py         | 20 ++++++++----
 2 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/modules/billing/docs/rust/index.php b/modules/billing/docs/rust/index.php
index 26816d53..bbd2d4e2 100644
--- a/modules/billing/docs/rust/index.php
+++ b/modules/billing/docs/rust/index.php
@@ -279,6 +279,55 @@ setadminpassword [password]
     </div>
 </div>
 
+<h3>Creating a Start Script</h3>
+
+<p><strong>Linux (start.sh):</strong></p>
+<pre><code>#!/bin/bash
+cd /path/to/server
+./server_executable [parameters] 2>&1 | tee server.log
+</code></pre>
+<pre><code>chmod +x start.sh
+./start.sh
+</code></pre>
+
+<p><strong>Windows (start.bat):</strong></p>
+<pre><code>@echo off
+cd /d "%~dp0"
+server_executable.exe [parameters]
+pause
+</code></pre>
+
+<h3>Running as a Service</h3>
+
+<p><strong>Linux (systemd):</strong></p>
+<pre><code># Create service file: /etc/systemd/system/gameserver.service
+[Unit]
+Description=Rust Server
+After=network.target
+
+[Service]
+Type=simple
+User=gameserver
+WorkingDirectory=/home/gameserver/server
+ExecStart=/home/gameserver/server/start.sh
+Restart=on-failure
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+</code></pre>
+
+<pre><code># Enable and start service
+sudo systemctl daemon-reload
+sudo systemctl enable gameserver
+sudo systemctl start gameserver
+sudo systemctl status gameserver
+</code></pre>
+
+<h2 id="troubleshooting">🔧 Troubleshooting</h2>
+
+<h3>Server Won't Start</h3>
+
 <h4>Check Server Logs</h4>
 <pre><code># View recent log entries
 tail -f server.log
diff --git a/tools/generate_game_docs.py b/tools/generate_game_docs.py
index 31d423d9..4427ac64 100755
--- a/tools/generate_game_docs.py
+++ b/tools/generate_game_docs.py
@@ -623,7 +623,7 @@ setadminpassword [password]
                 default = param.get('default')
                 options = param.get('options', [])
                 
-                # Clean HTML from description - unescape HTML entities and remove tags
+                # Clean HTML from description - unescape HTML entities, remove tags, then re-escape for output
                 if description:
                     description_clean = html.unescape(description)
                     # Remove HTML tags (simple but effective for our use case)
@@ -631,13 +631,18 @@ setadminpassword [password]
                 else:
                     description_clean = "No description available"
                 
+                # Escape all values for HTML output to prevent XSS
+                param_key_escaped = html.escape(param_key, quote=True)
+                caption_escaped = html.escape(caption, quote=True)
+                description_escaped = html.escape(description_clean, quote=True)
+                
                 php_doc += f'''
     <div style="margin-bottom: 20px; padding-bottom: 20px; border-bottom: 1px solid #374151;">
         <h4 style="color: #ffffff; margin-top: 0;">
-            <code style="background: #0f172a; padding: 4px 8px; border-radius: 3px; color: #a5b4fc;">{param_key}</code>
-            <span style="color: #e5e7eb; font-weight: normal; font-size: 0.9em;"> - {caption}</span>
+            <code style="background: #0f172a; padding: 4px 8px; border-radius: 3px; color: #a5b4fc;">{param_key_escaped}</code>
+            <span style="color: #e5e7eb; font-weight: normal; font-size: 0.9em;"> - {caption_escaped}</span>
         </h4>
-        <p style="color: #e5e7eb; margin: 10px 0;">{description_clean}</p>
+        <p style="color: #e5e7eb; margin: 10px 0;">{description_escaped}</p>
 '''
                 
                 if param_type == 'select' and options:
@@ -645,12 +650,15 @@ setadminpassword [password]
         <ul style="color: #e5e7eb; margin-left: 20px;">
 '''
                     for opt in options:
-                        php_doc += f'''            <li><code style="background: #0f172a; padding: 2px 6px; border-radius: 3px; color: #a5b4fc;">{opt['value']}</code> - {opt['text']}</li>\n'''
+                        opt_value_escaped = html.escape(opt['value'], quote=True)
+                        opt_text_escaped = html.escape(opt['text'], quote=True)
+                        php_doc += f'''            <li><code style="background: #0f172a; padding: 2px 6px; border-radius: 3px; color: #a5b4fc;">{opt_value_escaped}</code> - {opt_text_escaped}</li>\n'''
                     php_doc += '''        </ul>
 '''
                 
                 if default:
-                    php_doc += f'''        <p style="color: #fbbf24;"><strong>Default:</strong> <code style="background: #0f172a; padding: 2px 6px; border-radius: 3px;">{default}</code></p>
+                    default_escaped = html.escape(str(default), quote=True)
+                    php_doc += f'''        <p style="color: #fbbf24;"><strong>Default:</strong> <code style="background: #0f172a; padding: 2px 6px; border-radius: 3px;">{default_escaped}</code></p>
 '''
                 
                 php_doc += '''    </div>