From a5722014c0319689a76969dcbaea7374a606998e Mon Sep 17 00:00:00 2001
From: Chris Fulljames <christianfulljames@gmail.com>
Date: Sun, 10 May 2026 17:48:29 -0400
Subject: [PATCH] Fix escaping and URL prefix

---
 index.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/index.php b/index.php
index f99c444..9961194 100755
--- a/index.php
+++ b/index.php
@@ -5,7 +5,7 @@ $event = $_GET['event'];
 $name = $_GET['name'];
 
 function event_url($e) {
-    return BASE_URL."?event=$e";
+    return "?event=$e";
 }
 
 function query_db($query, $params=null) {
@@ -60,7 +60,7 @@ if (isset($event) && isset($name)) {
 }
 
 $peeps = get_peeps($event);
-$shareable_link = event_url($event);
+$shareable_link = BASE_URL.event_url($event);
 ?>
 <!DOCTYPE html>
 <html>
@@ -110,7 +110,7 @@ $shareable_link = event_url($event);
 
 <?php if (isset($event)): ?>
   <?php if (isset($name)): ?>
-    <h2>Hello, <?= $name ?>!</h2>
+    <h2>Hello, <?= htmlspecialchars($name) ?>!</h2>
   <?php else: ?>
     <h2>Hello!</h2>
     <form>
@@ -127,11 +127,11 @@ $shareable_link = event_url($event);
     <?php
     foreach ($peeps as &$p) {
         $cls = $p['name'] == $name ? 'me' : '';
-        echo "<tr><td class='$cls'>$p[name]</td></tr>\n";
+        echo "<tr><td class='$cls'>".htmlspecialchars($p['name'])."</td></tr>\n";
         echo "<tr><td>&#x2b07;</td></tr>\n";
     }
     $first = reset($peeps);
-    echo "<tr><td>$first[name]</td></tr>\n";
+    echo "<tr><td>".htmlspecialchars($first['name'])."</td></tr>\n";
     ?>
     </table>
 <?php elseif (isset($event)): ?>
-- 
2.39.5