From 08fe051269785530f08adac00709aefa89f8fb8c Mon Sep 17 00:00:00 2001
From: rainbow napkin <ourforest@tuta.io>
Date: Tue, 4 Nov 2025 06:09:26 -0500
Subject: [PATCH] Improved sanatization for server-side templating.

---
 src/controllers/adminPanelController.js       |  6 +++-
 src/controllers/channelSettingsController.js  |  5 +++-
 src/controllers/indexController.js            |  5 +++-
 src/controllers/panel/profileController.js    |  5 +++-
 src/controllers/profileController.js          |  9 ++++--
 src/controllers/tooltip/altListController.js  |  3 +-
 src/controllers/tooltip/profileController.js  |  7 +++--
 src/schemas/tokebot/tokeSchema.js             |  2 +-
 src/views/adminPanel.ejs                      |  4 +--
 src/views/channelSettings.ejs                 |  8 +++---
 src/views/index.ejs                           | 10 +++----
 src/views/partial/adminPanel/channelList.ejs  | 18 ++++++------
 src/views/partial/adminPanel/permList.ejs     | 12 ++++----
 src/views/partial/adminPanel/userList.ejs     | 26 ++++++++---------
 src/views/partial/channelSettings/info.ejs    |  6 ++--
 .../partial/channelSettings/permList.ejs      |  7 +++--
 .../partial/channelSettings/settings.ejs      |  6 ++--
 src/views/partial/panels/profile.ejs          | 28 +++++++++++--------
 src/views/partial/profile/bio.ejs             | 16 +++++++++--
 src/views/partial/profile/date.ejs            |  2 +-
 src/views/partial/profile/image.ejs           |  2 +-
 src/views/partial/profile/pronouns.ejs        |  4 +--
 src/views/partial/profile/settings.ejs        |  2 +-
 src/views/partial/profile/signature.ejs       |  4 +--
 src/views/partial/profile/status.ejs          |  6 ++--
 src/views/partial/profile/tokeCount.ejs       |  6 ++--
 src/views/partial/tooltip/altList.ejs         | 12 ++++----
 src/views/partial/tooltip/profile.ejs         | 10 +++----
 src/views/profile.ejs                         | 16 +++++------
 www/css/panel/profile.css                     |  8 +++++-
 30 files changed, 151 insertions(+), 104 deletions(-)

diff --git a/src/controllers/adminPanelController.js b/src/controllers/adminPanelController.js
index 2d5e72f..ca1a74c 100644
--- a/src/controllers/adminPanelController.js
+++ b/src/controllers/adminPanelController.js
@@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //Config
 const config = require('../../config.json');
 
+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //Local Imports
 const {userModel} = require('../schemas/user/userSchema');
 const permissionModel = require('../schemas/permissionSchema');
@@ -45,7 +48,8 @@ module.exports.get = async function(req, res){
             chanGuide: chanGuide,
             userList: userList,
             permList: permList,
-            csrfToken: csrfUtils.generateToken(req)
+            csrfToken: csrfUtils.generateToken(req),
+            unescape: validator.unescape
         });
 
     }catch(err){
diff --git a/src/controllers/channelSettingsController.js b/src/controllers/channelSettingsController.js
index 5b20aba..e310773 100644
--- a/src/controllers/channelSettingsController.js
+++ b/src/controllers/channelSettingsController.js
@@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //Config
 const config = require('../../config.json');
 
+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const channelModel = require('../schemas/channel/channelSchema');
 const permissionModel = require('../schemas/permissionSchema');
@@ -39,7 +42,7 @@ module.exports.get = async function(req, res){
             throw loggerUtils.exceptionSmith("Channel not found.", "queue");
         }
         
-        return res.render('channelSettings', {instance: config.instanceName, user: req.session.user, channel: chanDB, reqRank, rankEnum: permissionModel.rankEnum, csrfToken: csrfUtils.generateToken(req)});
+        return res.render('channelSettings', {instance: config.instanceName, user: req.session.user, channel: chanDB, reqRank, rankEnum: permissionModel.rankEnum, csrfToken: csrfUtils.generateToken(req), unescape: validator.unescape});
     }catch(err){
         return exceptionHandler(res, err);
     }
diff --git a/src/controllers/indexController.js b/src/controllers/indexController.js
index bbf1915..30e9682 100644
--- a/src/controllers/indexController.js
+++ b/src/controllers/indexController.js
@@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //Config
 const config = require('../../config.json');
 
+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const channelModel = require('../schemas/channel/channelSchema');
 const csrfUtils = require('../utils/csrfUtils');
@@ -26,7 +29,7 @@ const {exceptionHandler, errorHandler} = require('../utils/loggerUtils');
 module.exports.get = async function(req, res){
     try{
         const chanGuide = await channelModel.getChannelList();
-        return res.render('index', {instance: config.instanceName, user: req.session.user, chanGuide: chanGuide, csrfToken: csrfUtils.generateToken(req)});
+        return res.render('index', {instance: config.instanceName, user: req.session.user, chanGuide: chanGuide, csrfToken: csrfUtils.generateToken(req), unescape: validator.unescape});
     }catch(err){
         return exceptionHandler(res, err);
     }
diff --git a/src/controllers/panel/profileController.js b/src/controllers/panel/profileController.js
index 4a58c7d..f24d1dc 100644
--- a/src/controllers/panel/profileController.js
+++ b/src/controllers/panel/profileController.js
@@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //NPM Imports
 const {validationResult, matchedData} = require('express-validator');
 
+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const presenceUtils = require('../../utils/presenceUtils');
 const {userModel} = require('../../schemas/user/userSchema');
@@ -34,7 +37,7 @@ module.exports.get = async function(req, res){
             //Pull presence (should be quick since everyone whos been on since last startup will be backed in RAM)
             const presence = await presenceUtils.getPresence(profile.user);
 
-            return res.render('partial/panels/profile', {profile, presence});
+            return res.render('partial/panels/profile', {profile, presence, unescape: validator.unescape});
         }else{
             res.status(400);
             return res.send({errors: validResult.array()})
diff --git a/src/controllers/profileController.js b/src/controllers/profileController.js
index fd13cac..67d1895 100644
--- a/src/controllers/profileController.js
+++ b/src/controllers/profileController.js
@@ -20,6 +20,9 @@ const csrfUtils = require('../utils/csrfUtils');
 const presenceUtils = require('../utils/presenceUtils');
 const {exceptionHandler, errorHandler} = require('../utils/loggerUtils');
 
+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //Config
 const config = require('../../config.json');
 
@@ -44,7 +47,8 @@ module.exports.get = async function(req, res){
                 profile,
                 selfProfile,
                 presence,
-                csrfToken: csrfUtils.generateToken(req)
+                csrfToken: csrfUtils.generateToken(req),
+                unescape: validator.unescape
             });
         }else{
             res.render('profile', {
@@ -53,7 +57,8 @@ module.exports.get = async function(req, res){
                 profile: null,
                 selfProfile: false,
                 presence: null,
-                csrfToken: csrfUtils.generateToken(req)
+                csrfToken: csrfUtils.generateToken(req),
+                unescape: validator.unescape
             });
         }
     }catch(err){
diff --git a/src/controllers/tooltip/altListController.js b/src/controllers/tooltip/altListController.js
index a037cd0..d470114 100644
--- a/src/controllers/tooltip/altListController.js
+++ b/src/controllers/tooltip/altListController.js
@@ -16,6 +16,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
 //NPM Imports
 const {validationResult, matchedData} = require('express-validator');
+const validator = require('validator');//Because sometimes one isn't enough...
 
 //local imports
 const {userModel} = require('../../schemas/user/userSchema');
@@ -34,7 +35,7 @@ module.exports.get = async function(req, res){
                 return errorHandler(res, 'Cannot get alts for non-existant user!');
             }
 
-            return res.render('partial/tooltip/altList', {alts: await userDB.getAltProfiles()});
+            return res.render('partial/tooltip/altList', {alts: await userDB.getAltProfiles(), unescape: validator.unescape});
         }else{
             res.status(400);
             return res.send({errors: validResult.array()})
diff --git a/src/controllers/tooltip/profileController.js b/src/controllers/tooltip/profileController.js
index 18f9cff..e4b4a0c 100644
--- a/src/controllers/tooltip/profileController.js
+++ b/src/controllers/tooltip/profileController.js
@@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //NPM Imports
 const {validationResult, matchedData} = require('express-validator');
 
+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const {userModel} = require('../../schemas/user/userSchema');
 const {exceptionHandler, errorHandler} = require('../../utils/loggerUtils');
@@ -30,10 +33,10 @@ module.exports.get = async function(req, res){
             const data = matchedData(req);
             const profile = await userModel.findProfile({user: data.user});
 
-            return res.render('partial/tooltip/profile', {profile});
+            return res.render('partial/tooltip/profile', {profile, unescape: validator.unescape});
         }else{
             res.status(400);
-            return res.send({errors: validResult.array()})
+            return res.send({errors: validResult.array()});
         }
 
     }catch(err){
diff --git a/src/schemas/tokebot/tokeSchema.js b/src/schemas/tokebot/tokeSchema.js
index ca186af..7b86913 100644
--- a/src/schemas/tokebot/tokeSchema.js
+++ b/src/schemas/tokebot/tokeSchema.js
@@ -91,7 +91,7 @@ tokeSchema.statics.calculateTokeMap = async function(){
 
     //Display calculated toke sats for funsies
     if(config.verbose){
-        console.log(`Processed ${this.commandCount} toke command callouts accross ${await this.estimatedDocumentCount()} tokes.`);
+        console.log(`Processed ${this.commandCount} toke command callouts accross ${this.count} tokes, averaging ${(this.commandCount/this.count).toFixed(3)} tokers per toke.`);
     }
 }
 
diff --git a/src/views/adminPanel.ejs b/src/views/adminPanel.ejs
index d34c773..b49d7ea 100644
--- a/src/views/adminPanel.ejs
+++ b/src/views/adminPanel.ejs
@@ -25,8 +25,8 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
         <%- include('partial/navbar', {user}); %>
         <h1 class="panel-title"><%= instance %> Admin Panel</h1>
         <div class="admin-panel-container-div">
-            <%- include('partial/adminPanel/channelList', {chanGuide}) %>
-            <%- include('partial/adminPanel/userList', {user, userList, rankEnum}) %>
+            <%- include('partial/adminPanel/channelList', {chanGuide, unescape}) %>
+            <%- include('partial/adminPanel/userList', {user, userList, rankEnum, unescape}) %>
             <%- include('partial/adminPanel/permList', {permList, rankEnum}) %>
             <%- include('partial/adminPanel/userBanList') %>
             <%- include('partial/adminPanel/tokeCommandList') %>
diff --git a/src/views/channelSettings.ejs b/src/views/channelSettings.ejs
index d94e44f..81b4e59 100644
--- a/src/views/channelSettings.ejs
+++ b/src/views/channelSettings.ejs
@@ -24,13 +24,13 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
     </head>
     <body>
         <%- include('partial/navbar', {user}); %>
-        <h1 class="panel-title"><%- channel.name %> - Channel Settings</h1>
+        <h1 class="panel-title"><%= unescape(channel.name) %> - Channel Settings</h1>
         <div class="admin-panel-container-div">
-            <%- include('partial/channelSettings/info.ejs', {channel}); %>
+            <%- include('partial/channelSettings/info.ejs', {unescape, channel}); %>
             <%- include('partial/channelSettings/userList.ejs'); %>
             <%- include('partial/channelSettings/banList.ejs'); %>
-            <%- include('partial/channelSettings/settings.ejs'); %>
-            <%- include('partial/channelSettings/permList.ejs'); %>
+            <%- include('partial/channelSettings/settings.ejs', {unescape, channel}); %>
+            <%- include('partial/channelSettings/permList.ejs', {channel}); %>
             <%- include('partial/channelSettings/tokeCommandList.ejs'); %>
             <%- include('partial/channelSettings/emoteList.ejs'); %>
         </div>
diff --git a/src/views/index.ejs b/src/views/index.ejs
index dc47f6d..4ee326c 100644
--- a/src/views/index.ejs
+++ b/src/views/index.ejs
@@ -26,11 +26,11 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
         <h3><a href="/newchannel">Start a new channel...</a></h3>
         <div id="channel-guide-div" class="channel-guide">
             <% chanGuide.forEach((channel) => { %>
-                <div id="channel-guide-entry-<%- channel.name %>" class="channel-guide-entry">
-                    <a href="/c/<%- channel.name %>" class="channel-guide-entry channel-guide-entry-item"><img id="channel-guide-entry-img-<%- channel.name %>" class="channel-guide-entry channel-guide-entry-item" src="<%- channel.thumbnail %>"></a>
-                    <h3 id="channel-guide-entry-name-<%- channel.name %>" class="channel-guide-entry channel-guide-entry-item"><a href="/c/<%- channel.name %>" class="channel-guide-entry channel-guide-entry-item"><%- channel.name %></a></h3>
-                    <span id="channel-guide-entry-description-span-<%- channel.name %>" class="channel-guide-entry channel-guide-entry-item">
-                        <p id="channel-guide-entry-description-<%- channel.name %>" class="channel-guide-entry channel-guide-entry-item"><%- channel.description %></h3>
+                <div id="channel-guide-entry-<%= unescape(channel.name) %>" class="channel-guide-entry">
+                    <a href="/c/<%= unescape(channel.name) %>" class="channel-guide-entry channel-guide-entry-item"><img id="channel-guide-entry-img-<%= unescape(channel.name) %>" class="channel-guide-entry channel-guide-entry-item" src="<%= encodeURI(unescape(channel.thumbnail)) %>"></a>
+                    <h3 id="channel-guide-entry-name-<%= unescape(channel.name) %>" class="channel-guide-entry channel-guide-entry-item"><a href="/c/<%= encodeURI(unescape(channel.name)) %>" class="channel-guide-entry channel-guide-entry-item"><%= unescape(channel.name) %></a></h3>
+                    <span id="channel-guide-entry-description-span-<%= unescape(channel.name) %>" class="channel-guide-entry channel-guide-entry-item">
+                        <p id="channel-guide-entry-description-<%= unescape(channel.name) %>" class="channel-guide-entry channel-guide-entry-item"><%= unescape(channel.description) %></h3>
                     </span>
                 </div>
             <% }); %>
diff --git a/src/views/partial/adminPanel/channelList.ejs b/src/views/partial/adminPanel/channelList.ejs
index 53311f7..e6e53ec 100644
--- a/src/views/partial/adminPanel/channelList.ejs
+++ b/src/views/partial/adminPanel/channelList.ejs
@@ -29,19 +29,19 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
                 </td>
             </tr>
         <% chanGuide.forEach((channel) => { %>
-            <tr id="admin-channel-list-entry-<%- channel.name %>" class="">
-                <td id="admin-channel-list-entry-img-<%- channel.name %>" class=" admin-list-entry-item">
-                    <a href="/c/<%- channel.name %>" class=" admin-list-entry-item">
-                        <img id="admin-channel-list-entry-img-<%- channel.name %>" class=" admin-list-entry-item" src="<%- channel.thumbnail %>">
+            <tr id="admin-channel-list-entry-<%= unescape(channel.name) %>" class="">
+                <td id="admin-channel-list-entry-img-<%= unescape(channel.name) %>" class=" admin-list-entry-item">
+                    <a href="/c/<%= encodeURI(unescape(channel.name)) %>" class=" admin-list-entry-item">
+                        <img id="admin-channel-list-entry-img-<%= unescape(channel.name) %>" class=" admin-list-entry-item" src="<%= encodeURI(unescape(channel.thumbnail)) %>">
                     </a>
                 </td>
-                <td id="admin-channel-list-entry-name-<%- channel.name %>" class=" admin-list-entry-item not-first-col">
-                    <a href="/c/<%- channel.name %>" class=" admin-list-entry-item">
-                        <%- channel.name %>
+                <td id="admin-channel-list-entry-name-<%= unescape(channel.name) %>" class=" admin-list-entry-item not-first-col">
+                    <a href="/c/<%= unescape(channel.name) %>" class=" admin-list-entry-item">
+                        <%= unescape(channel.name) %>
                     </a>
                 </td>
-                <td id="admin-channel-list-entry-description-<%- channel.name %>" class="large admin-list-entry-item not-first-col">
-                    <%- channel.description %>
+                <td id="admin-channel-list-entry-description-<%= unescape(channel.name) %>" class="large admin-list-entry-item not-first-col">
+                    <%= unescape(channel.description) %>
                 </td> 
             </tr>
         <% }); %>
diff --git a/src/views/partial/adminPanel/permList.ejs b/src/views/partial/adminPanel/permList.ejs
index d0e9ce1..40bce34 100644
--- a/src/views/partial/adminPanel/permList.ejs
+++ b/src/views/partial/adminPanel/permList.ejs
@@ -20,10 +20,10 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
             <% Object.keys(permList).forEach((key)=>{ %>
                 <% if(key != "channelOverrides"){ %>
                     <span class="admin-list-field-container">
-                        <label class="admin-list-label admin-perm-list" for="admin-perm-list-rank-select-<%- key %>"><%- key %>: </label>
-                        <select name="admin-perm-list-rank-select-<%- key %>" data-key="<%- key %>" class="admin-list-select admin-perm-list-rank-select">
+                        <label class="admin-list-label admin-perm-list" for="admin-perm-list-rank-select-<%= key %>"><%= key %>: </label>
+                        <select name="admin-perm-list-rank-select-<%= key %>" data-key="<%= key %>" class="admin-list-select admin-perm-list-rank-select">
                             <%rankEnum.slice().reverse().forEach((rank)=>{ %>
-                                <option <%if(permList[key] == rank){%> selected <%}%> value="<%- rank %>"><%- rank %></option>
+                                <option <%if(permList[key] == rank){%> selected <%}%> value="<%= rank %>"><%= rank %></option>
                             <% }); %>
                         </select>
                     </span>
@@ -33,10 +33,10 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
             <% Object.keys(permList.channelOverrides).forEach((key)=>{ %>
                 <% if(key != "channelOverrides"){ %>
                     <span class="admin-list-field-container">
-                        <label class="admin-list-label admin-chan-perm-list" for="admin-chan-perm-list-rank-select-<%- key %>"><%- key %>: </label>
-                        <select name="admin-chan-perm-list-rank-select-<%- key %>" data-key="<%- key %>" class="admin-list-select admin-chan-perm-list-rank-select">
+                        <label class="admin-list-label admin-chan-perm-list" for="admin-chan-perm-list-rank-select-<%= key %>"><%= key %>: </label>
+                        <select name="admin-chan-perm-list-rank-select-<%= key %>" data-key="<%= key %>" class="admin-list-select admin-chan-perm-list-rank-select">
                             <%rankEnum.slice().reverse().forEach((rank)=>{ %>
-                                <option <%if(permList.channelOverrides[key] == rank){%> selected <%}%> value="<%- rank %>"><%- rank %></option>
+                                <option <%if(permList.channelOverrides[key] == rank){%> selected <%}%> value="<%= rank %>"><%= rank %></option>
                             <% }); %>
                         </select>
                     </span>
diff --git a/src/views/partial/adminPanel/userList.ejs b/src/views/partial/adminPanel/userList.ejs
index d94142a..df54d21 100644
--- a/src/views/partial/adminPanel/userList.ejs
+++ b/src/views/partial/adminPanel/userList.ejs
@@ -41,42 +41,42 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
                 </td>
             </tr>
         <% userList.forEach((curUser) => { %>
-            <tr id="admin-user-list-entry-<%- curUser.user %>" class="admin-list-entry" data-name="<%- curUser.user %>" >
+            <tr id="admin-user-list-entry-<%= unescape(curUser.user) %>" class="admin-list-entry" data-name="<%= unescape(curUser.user) %>" >
                 <td class="admin-list-entry-item">
-                    <a href="/profile/<%- curUser.user %>" class="admin-list-entry-item">
-                        <img class="admin-list-entry-item" src="<%- curUser.img %>">
+                    <a href="/profile/<%= unescape(curUser.user) %>" class="admin-list-entry-item">
+                        <img class="admin-list-entry-item" src="<%= encodeURI(unescape(curUser.img)) %>">
                     </a>
                 </td>
                 <td class="admin-list-entry-item not-first-col">
-                    <a href="/profile/<%- curUser.user %>" class="admin-list-entry-item">
-                        <%- curUser.id %>
+                    <a href="/profile/<%= encodeURI(unescape(curUser.user)) %>" class="admin-list-entry-item">
+                        <%= curUser.id %>
                     </a>
                 </td>
                 <td class="admin-list-entry-item not-first-col">
-                    <a href="/profile/<%- curUser.user %>" class="admin-list-entry-item admin-user-list-name">
-                        <%- curUser.user %>
+                    <a href="/profile/<%= encodeURI(unescape(curUser.user)) %>" class="admin-list-entry-item admin-user-list-name">
+                        <%= unescape(curUser.user) %>
                     </a>
                 </td>
                 <td class="admin-list-entry-item not-first-col">
                     <% if(rankEnum.indexOf(curUser.rank) < rankEnum.indexOf(user.rank)){%>
-                        <select id="admin-user-list-rank-select-<%- curUser.user %>" class="admin-user-list-rank-select">
+                        <select id="admin-user-list-rank-select-<%= unescape(curUser.user) %>" class="admin-user-list-rank-select">
                             <%rankEnum.slice().reverse().forEach((rank)=>{ %>
-                                <option <%if(curUser.rank == rank){%> selected <%}%> value="<%- rank %>"><%- rank %></option>
+                                <option <%if(curUser.rank == rank){%> selected <%}%> value="<%= rank %>"><%= rank %></option>
                             <% }); %>
                         </select>
                     <% }else{ %> 
-                        <%- curUser.rank %>
+                        <%= curUser.rank %>
                     <% } %>
                 </td>
                 <td class="admin-list-entry-item not-first-col">
-                        <%- curUser.email ? curUser.email : "N/A" %>
+                        <%= unescape(curUser.email) ? curUser.email : "N/A" %>
                 </td>
                 <td class="admin-list-entry-item not-first-col">
-                        <%- curUser.date.toUTCString() %>
+                        <%= unescape(curUser.date.toUTCString()) %>
                 </td>
                 <td class="admin-list-entry-item not-first-col">
                     <%# It's either this or add whitespce >:( %>
-                    <i class="bi-radioactive admin-user-list-icon admin-user-list-nuke-icon" title="Nuke Account: <%- curUser.user %>"></i><i class="bi-fire admin-user-list-icon admin-user-list-ban-icon" title="Ban User: <%- curUser.user %>"></i><i class="bi-arrow-clockwise admin-user-list-icon admin-user-list-pw-reset-icon" title="Generate Password Reset Link for <%- curUser.user %>"></i>
+                    <i class="bi-radioactive admin-user-list-icon admin-user-list-nuke-icon" title="Nuke Account: <%= unescape(curUser.user) %>"></i><i class="bi-fire admin-user-list-icon admin-user-list-ban-icon" title="Ban User: <%= unescape(curUser.user) %>"></i><i class="bi-arrow-clockwise admin-user-list-icon admin-user-list-pw-reset-icon" title="Generate Password Reset Link for <%= unescape(curUser.user) %>"></i>
                 </td>
             </tr>
         <% }); %>
diff --git a/src/views/partial/channelSettings/info.ejs b/src/views/partial/channelSettings/info.ejs
index a2f073f..11aeafb 100644
--- a/src/views/partial/channelSettings/info.ejs
+++ b/src/views/partial/channelSettings/info.ejs
@@ -19,13 +19,13 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
         <span class="channel-info-span" id="channel-info-thumbnail-span">
             <p class="channel-info-label">Thumbnail:</p>
             <div>
-                <input value="<%= channel.thumbnail %>" placeholder="Thumbnail URL" style="display: none;" id="channel-info-thumbnail-prompt">
-                <img class="interactive" src="<%= channel.thumbnail %> " id="channel-info-thumbnail">
+                <input value="<%= encodeURI(unescape(channel.thumbnail)) %>" placeholder="Thumbnail URL" style="display: none;" id="channel-info-thumbnail-prompt">
+                <img class="interactive" src="<%= encodeURI(unescape(channel.thumbnail)) %> " id="channel-info-thumbnail">
             </div>
         </span>
         <span class="channel-info-span" id="channel-info-description-span">
             <p class="channel-info-label">Description:</p>
-            <p class="interactive" id="channel-info-description"><%= channel.description %></p>
+            <p class="interactive" id="channel-info-description"><%= unescape(channel.description) %></p>
         <span>
     </div>
 </div>
\ No newline at end of file
diff --git a/src/views/partial/channelSettings/permList.ejs b/src/views/partial/channelSettings/permList.ejs
index 80ca3e4..0c9cb20 100644
--- a/src/views/partial/channelSettings/permList.ejs
+++ b/src/views/partial/channelSettings/permList.ejs
@@ -20,10 +20,11 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
             <% Object.keys(channel.permissions.toObject()).forEach((key)=>{ %>
                 <% if(key != "channelOverrides"){ %>
                     <span class="admin-list-field-container">
-                        <label class="admin-list-label admin-perm-list" for="admin-perm-list-rank-select-<%- key %>"><%- key %>: </label>
-                        <select data-key="<%- key %>" name="admin-perm-list-rank-select-<%- key %>" class="channel-perm-select admin-list-select admin-perm-list-rank-select">
+                        <%# These strings are generated internally server-side. There really isn't much of a reason to sanatize them.%>
+                        <label class="admin-list-label admin-perm-list" for="admin-perm-list-rank-select-<%= key %>"><%= key %>: </label>
+                        <select data-key="<%= key %>" name="admin-perm-list-rank-select-<%= key %>" class="channel-perm-select admin-list-select admin-perm-list-rank-select">
                             <%rankEnum.slice().reverse().forEach((rank)=>{ %>
-                                <option <%if(channel.permissions.toObject()[key] == rank){%> selected <%}%> value="<%- rank %>"><%- rank %></option>
+                                <option <%if(channel.permissions.toObject()[key] == rank){%> selected <%}%> value="<%= rank %>"><%= rank %></option>
                             <% }); %>
                         </select>
                     </span>
diff --git a/src/views/partial/channelSettings/settings.ejs b/src/views/partial/channelSettings/settings.ejs
index 9ddc294..1ec464c 100644
--- a/src/views/partial/channelSettings/settings.ejs
+++ b/src/views/partial/channelSettings/settings.ejs
@@ -19,13 +19,13 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
         <form action="javascript:" class="admin-list-field">
             <% Object.keys(channel.settings).forEach((key) => { %>
                 <span class="admin-list-field-container">
-                    <label class="admin-list-label"><%- key %>:</label>
+                    <label class="admin-list-label"><%= key %>:</label>
                     <% switch(typeof channel.settings[key]){ 
                     case "string": %>
-                        <input data-key="<%- key %>" class="channel-preference-list-item" value="<%- channel.settings[key] %>">
+                        <input data-key="<%= key %>" class="channel-preference-list-item" value="<%= channel.settings[key] %>">
                         <% break; 
                     default: %>
-                        <input data-key="<%- key %>" class="channel-preference-list-item" type="checkbox"  <% if(channel.settings[key]){ %> checked <% } %>>
+                        <input data-key="<%= key %>" class="channel-preference-list-item" type="checkbox"  <% if(channel.settings[key]){ %> checked <% } %>>
                         <% break;
                     } %>
                 </span>
diff --git a/src/views/partial/panels/profile.ejs b/src/views/partial/panels/profile.ejs
index b5728c6..63fc487 100644
--- a/src/views/partial/panels/profile.ejs
+++ b/src/views/partial/panels/profile.ejs
@@ -18,16 +18,22 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
     <% if(profile == null){ %>
         <p>Profile not found!</p>
     <% }else{ %>
-        <a class="panel profile-link" target="_blank" href="/profile/<%- profile.user %>">View Full Profile<i class="bi-box-arrow-in-up-right"></i></a>
-        <h2 class="panel profile-name"><%- profile.user %></h2>
-        <%- include('../profile/status', {profile, presence, auxClass:"panel"}); %>
-        <img class="panel profile-img" src="<%- profile.img %>">
-        <p class="panel profile-info">Toke Count: <%- profile.tokeCount %></p>
-        <% if(profile.pronouns != '' && profile.pronouns != null){ %>
-            <p class="panel profile-info">Pronouns: <%- profile.pronouns %></p>
-        <% } %>
-        <p class="panel profile-info">Signature: <%- profile.signature %></p>
-        <p class="panel profile-bio-label">Bio:</p>
-        <p class="panel profile-bio"><%- profile.bio %></p>
+        <% const splitBio = profile.bio.split('\n'); %>
+        <a class="panel profile-link" target="_blank" href="/profile/<%= encodeURI(unescape(profile.user)) %>">View Full Profile<i class="bi-box-arrow-in-up-right"></i></a>
+        <h2 class="panel profile-name"><%= unescape(profile.user) %></h2>
+        <%- include('../profile/status', {profile, presence, auxClass:"panel", unescape}); %>
+        <img class="panel profile-img" src="<%= encodeURI(unescape(profile.img)) %>">
+        <div class="dynamic-container panel profile-box">
+            <p class="panel profile-info">Toke Count: <%= profile.tokeCount %></p>
+            <% if(profile.pronouns != '' && profile.pronouns != null){ %>
+                <p class="panel profile-info">Pronouns: <%= unescape(profile.pronouns) %></p>
+            <% } %>
+            <p class="panel profile-info">Signature: <%= unescape(profile.signature) %></p>
+            <p class="panel profile-bio">
+                <% for(const line of splitBio){ %>
+                    <%= unescape(line) %><br>
+                <% } %>
+            </p>
+        </div>
     <% } %>
 </div>
\ No newline at end of file
diff --git a/src/views/partial/profile/bio.ejs b/src/views/partial/profile/bio.ejs
index 0cc620b..3d28720 100644
--- a/src/views/partial/profile/bio.ejs
+++ b/src/views/partial/profile/bio.ejs
@@ -15,11 +15,23 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <span class="profile-bio-span">
         <h4 id="profile-bio-label" class="profile-item-label">Bio:</h4>
+        <%
+            //Split bio by newline
+            const splitBio = profile.bio.split('\n');
+        %>
     <% if(selfProfile){ %>
         <%# Make sure to convert newlines to br so they display proepr %>
-        <p class="profile-item interactive" id="profile-bio-content"><%- profile.bio.replaceAll('\n','<br>') %></p>
+        <p class="profile-item interactive" id="profile-bio-content">
+            <% for(const line of splitBio){ %>
+                <%= unescape(line) %><br>
+            <% } %>
+        </p>
         <textarea class="profile-item-prompt" id="profile-bio-prompt"></textarea>
     <% }else{ %>
-        <p class="profile-item" id="profile-bio-content"><%- profile.bio.replaceAll('\n','<br>') %></p>
+        <p class="profile-item" id="profile-bio-content">
+            <% for(const line of splitBio){ %>
+                <%= unescape(line) %><br>
+            <% } %>
+        </p>
     <% } %>
 </span>
\ No newline at end of file
diff --git a/src/views/partial/profile/date.ejs b/src/views/partial/profile/date.ejs
index 27b21aa..55c175b 100644
--- a/src/views/partial/profile/date.ejs
+++ b/src/views/partial/profile/date.ejs
@@ -14,5 +14,5 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <span class="profile-item">
-    <p class="profile-item" id="profile-creation-date" title="<%- profile.date.toUTCString() %>">Joined: <%- profile.date.toLocaleDateString(); %></p>
+    <p class="profile-item" id="profile-creation-date" title="<%= profile.date.toUTCString() %>">Joined: <%= profile.date.toLocaleDateString(); %></p>
 </span>
\ No newline at end of file
diff --git a/src/views/partial/profile/image.ejs b/src/views/partial/profile/image.ejs
index 7665509..30f4afe 100644
--- a/src/views/partial/profile/image.ejs
+++ b/src/views/partial/profile/image.ejs
@@ -14,7 +14,7 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <div class="profile-item" id="profile-img">
-    <img class="profile-item" id="profile-img-content" src="<%- profile.img  %>">
+    <img class="profile-item" id="profile-img-content" src="<%= encodeURI(unescape(profile.img))  %>">
     <% if(selfProfile){ %>
             <input class="profile-item-prompt" id="profile-img-prompt">
     <% } %>
diff --git a/src/views/partial/profile/pronouns.ejs b/src/views/partial/profile/pronouns.ejs
index 3d427f2..cd35da2 100644
--- a/src/views/partial/profile/pronouns.ejs
+++ b/src/views/partial/profile/pronouns.ejs
@@ -24,10 +24,10 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <% }else if(profile.pronouns != null && profile.pronouns != ""){ %>
     <span class="profile-item profile-item-oneliner">
         <% if(selfProfile){ %>
-            <p class="profile-item profile-item-oneliner" id="profile-pronouns">Pronouns: <span class="profile-content interactive" id="profile-pronouns-content"><%- profile.pronouns %></span></p> 
+            <p class="profile-item profile-item-oneliner" id="profile-pronouns">Pronouns: <span class="profile-content interactive" id="profile-pronouns-content"><%= unescape(profile.pronouns) %></span></p> 
             <input class="profile-item-prompt" id="profile-pronouns-prompt">
         <% }else{ %>
-            <p class="profile-item profile-item-oneliner" id="profile-pronouns">Pronouns: <span class="profile-content" id="profile-pronouns-content"><%- profile.pronouns %></span></p> 
+            <p class="profile-item profile-item-oneliner" id="profile-pronouns">Pronouns: <span class="profile-content" id="profile-pronouns-content"><%= unescape(profile.pronouns) %></span></p> 
         <% } %>
     </span>
 <% } %>
\ No newline at end of file
diff --git a/src/views/partial/profile/settings.ejs b/src/views/partial/profile/settings.ejs
index 84a0ac8..3135653 100644
--- a/src/views/partial/profile/settings.ejs
+++ b/src/views/partial/profile/settings.ejs
@@ -17,7 +17,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
     <h3 class="account-settings" id="account-settings-label">Account Settings</h3>
     <% if(profile.email){ %>
         <h4 class="account-settings" id="account-email-label">Email Address:</h3>
-        <h4 class="account-settings" id="account-email-address"><%= profile.email %></h4>
+        <h4 class="account-settings" id="account-email-address"><%= unescape(profile.email) %></h4>
     <% } %>
     <span class="account-settings" id="account-settings-buttons">
         <button href="javascript:" class="account-settings positive-button" id="account-settings-update-email-button">Update Email</button>
diff --git a/src/views/partial/profile/signature.ejs b/src/views/partial/profile/signature.ejs
index 578354f..5bb5ea7 100644
--- a/src/views/partial/profile/signature.ejs
+++ b/src/views/partial/profile/signature.ejs
@@ -15,9 +15,9 @@ You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <span class="profile-item">
     <% if(selfProfile){ %>
-        <p class="profile-item profile-item-oneliner" id="profile-signature">Signature: <span class="profile-content interactive" id="profile-signature-content"><%- profile.signature %></span></p> 
+        <p class="profile-item profile-item-oneliner" id="profile-signature">Signature: <span class="profile-content interactive" id="profile-signature-content"><%= unescape(profile.signature) %></span></p> 
         <input class="profile-item-prompt" id="profile-signature-prompt">
     <% }else{ %>
-        <p class="profile-item profile-item-oneliner" id="profile-signature">Signature: <span class="profile-content" id="profile-signature-content"><%- profile.signature %></span></p> 
+        <p class="profile-item profile-item-oneliner" id="profile-signature">Signature: <span class="profile-content" id="profile-signature-content"><%= unescape(profile.signature) %></span></p> 
     <% } %>
 </span>
\ No newline at end of file
diff --git a/src/views/partial/profile/status.ejs b/src/views/partial/profile/status.ejs
index d2bdff5..1b37fd7 100644
--- a/src/views/partial/profile/status.ejs
+++ b/src/views/partial/profile/status.ejs
@@ -14,9 +14,9 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <% if(profile.user == "Tokebot"){ %>
-    <p id="profile-status" class="<%- auxClass %> positive profile-status"><span class="bi-record-fill"></span>Perma-Couched</p>
+    <p id="profile-status" class="<%= auxClass %> positive profile-status"><span class="bi-record-fill"></span>Perma-Couched</p>
 <% }else{ %>
     <% const statusClass = (presence.status == "Streaming") ? "positive" : ((presence.status == "Offline") ? "inactive" : "positive-low");%>
-    <% const curChan = (presence.activeConnections == null || presence.activeConnections.length <= 0) ? '' : (presence.activeConnections.length == 1 ? ` - /c/${presence.activeConnections[0].channel.name}` : " - Multiple Channels"); %>
-    <p id="profile-status" class="<%- auxClass %> <%- statusClass %> profile-status"><span class="bi-record-fill"></span><%- presence.status %><%-curChan%></p>
+    <% const curChan = (presence.activeConnections == null || presence.activeConnections.length <= 0) ? '' : (presence.activeConnections.length == 1 ? ` - /c/${unescape(presence.activeConnections[0].channel.name)}` : " - Multiple Channels"); %>
+    <p id="profile-status" class="<%= auxClass %> <%= statusClass %> profile-status"><span class="bi-record-fill"></span><%= presence.status %><%= unescape(curChan)%></p>
 <% } %>
\ No newline at end of file
diff --git a/src/views/partial/profile/tokeCount.ejs b/src/views/partial/profile/tokeCount.ejs
index ccf9ac5..a1d7356 100644
--- a/src/views/partial/profile/tokeCount.ejs
+++ b/src/views/partial/profile/tokeCount.ejs
@@ -14,16 +14,16 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <span class="profile-item profile-toke-count">
-    <p class="profile-item profile-toke-count interactive">Toke Count: (<%- profile.tokeCount %> Total) </p>
+    <p class="profile-item profile-toke-count interactive">Toke Count: (<%= profile.tokeCount %> Total) </p>
     <i class="-item bi-caret-left-fill profile-toke-count" id="toggle-toke-list"></i>
 </span>
 <div class="profile-item nested-dynamic-container" id="profile-tokes">
     <% profile.tokes.forEach((count, toke) => { %>
         <% if(toke != "Legacy Tokes"){ %>
-            <p class="profile-item profile-toke" id='profile-tokes<%-toke%>'>!<%- toke %>: <%- count %></p>
+            <p class="profile-item profile-toke" id='profile-tokes<%= unescape(toke)%>'>!<%= unescape(toke) %>: <%= count %></p>
         <% } %>
     <% }); %>
     <% if(profile.tokes.get("Legacy Tokes") != null){ %>
-        <p class="profile-item profile-toke" id='profile-tokes-legacy-tokes'><br>Legacy Tokes: <%- profile.tokes.get("Legacy Tokes") %></p>
+        <p class="profile-item profile-toke" id='profile-tokes-legacy-tokes'><br>Legacy Tokes: <%= profile.tokes.get("Legacy Tokes") %></p>
     <% } %>
 </div>
\ No newline at end of file
diff --git a/src/views/partial/tooltip/altList.ejs b/src/views/partial/tooltip/altList.ejs
index 0ef19b8..69017a7 100644
--- a/src/views/partial/tooltip/altList.ejs
+++ b/src/views/partial/tooltip/altList.ejs
@@ -17,14 +17,14 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
     <h3 class="tooltip">Known Alts:</h3>
     <% for(let alt in alts){%>
         <div class="seperator"></div>
-        <p class="tooltip">User: <%- alts[alt].user %></p>
-        <p class="tooltip">ID: <%- alts[alt].id %></p>
+        <p class="tooltip">User: <%= unescape(alts[alt].user) %></p>
+        <p class="tooltip">ID: <%= alts[alt].id %></p>
         <% if(alts[alt].pronouns != '' && alts[alt].pronouns != null){ %>
-            <p class="tooltip">Pronouns: <%- alts[alt].pronouns %></p>
+            <p class="tooltip">Pronouns: <%= unescape(alts[alt].pronouns) %></p>
         <% } %>
-        <p class="tooltip">Signature: <%- alts[alt].signature %></p>
-        <p class="tooltip">Toke Count: <%- alts[alt].tokeCount %></p>
-        <p class="tooltip">Joined: <%- alts[alt].date.toLocaleString() %></p>
+        <p class="tooltip">Signature: <%= unescape(alts[alt].signature) %></p>
+        <p class="tooltip">Toke Count: <%= alts[alt].tokeCount %></p>
+        <p class="tooltip">Joined: <%= unescape(alts[alt].date.toLocaleString()) %></p>
     <% } %>
 <% }else{ %>
     <p class="tooltip">No alts detected...</p>
diff --git a/src/views/partial/tooltip/profile.ejs b/src/views/partial/tooltip/profile.ejs
index dba9bb3..e1e86e0 100644
--- a/src/views/partial/tooltip/profile.ejs
+++ b/src/views/partial/tooltip/profile.ejs
@@ -17,11 +17,11 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
 <% if(profile == null){ %>
     <p>Profile not found!</p>
 <% }else{ %>
-    <h2 class="tooltip profile-name"><%- profile.user %></h2>
-    <img class="tooltip profile-img" src="<%- profile.img %>">
-    <p class="tooltip">Toke Count: <%- profile.tokeCount %></p>
+    <h2 class="tooltip profile-name"><%= unescape(profile.user) %></h2>
+    <img class="tooltip profile-img" src="<%= encodeURI(unescape(profile.img)) %>">
+    <p class="tooltip">Toke Count: <%= profile.tokeCount %></p>
     <% if(profile.pronouns != '' && profile.pronouns != null){ %>
-        <p class="tooltip">Pronouns: <%- profile.pronouns %></p>
+        <p class="tooltip">Pronouns: <%= unescape(profile.pronouns) %></p>
     <% } %>
-    <p class="tooltip">Signature: <%- profile.signature %></p>
+    <p class="tooltip">Signature: <%= unescape(profile.signature) %></p>
 <% } %>
\ No newline at end of file
diff --git a/src/views/profile.ejs b/src/views/profile.ejs
index 3c956f0..990ef9a 100644
--- a/src/views/profile.ejs
+++ b/src/views/profile.ejs
@@ -32,21 +32,21 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>. %>
             <div id="account">
                 <div class="profile dynamic-container" id="profile-div">
                     <span id="profile-info" class="profile">
-                        <h1 class="profile-item" id="profile-username"><%- profile.user %></h1>
-                        <%- include('partial/profile/status', {profile, presence, auxClass: ""}); %>
-                        <%- include('partial/profile/image', {profile, selfProfile}); %>
-                        <%- include('partial/profile/pronouns', {profile, selfProfile}); %> 
-                        <%- include('partial/profile/signature', {profile, selfProfile}); %> 
-                        <%- include('partial/profile/tokeCount', {profile, selfProfile}); %>
+                        <h1 class="profile-item" id="profile-username"><%= unescape(profile.user) %></h1>
+                        <%- include('partial/profile/status', {profile, presence, auxClass: "", unescape}); %>
+                        <%- include('partial/profile/image', {profile, selfProfile, unescape}); %>
+                        <%- include('partial/profile/pronouns', {profile, selfProfile, unescape}); %> 
+                        <%- include('partial/profile/signature', {profile, selfProfile, unescape}); %> 
+                        <%- include('partial/profile/tokeCount', {profile, selfProfile, unescape}); %>
                         <%- include('partial/profile/date', {profile, selfProfile}); %> 
                     </span>
                     <span id="profile-info-aux" class="profile">
-                        <%- include('partial/profile/bio', {profile, selfProfile}); %> 
+                        <%- include('partial/profile/bio', {profile, selfProfile, unescape}); %> 
                         <%- include('partial/profile/badges', {profile, selfProfile}); %> 
                     </span>
                 </div>
                 <% if(selfProfile){ %>
-                    <%- include('partial/profile/settings', {profile, selfProfile}); %> 
+                    <%- include('partial/profile/settings', {profile, selfProfile, unescape}); %> 
                 <% } %>
             </div>
         <% }else if(user){ %>
diff --git a/www/css/panel/profile.css b/www/css/panel/profile.css
index 5ee912c..8e1caed 100644
--- a/www/css/panel/profile.css
+++ b/www/css/panel/profile.css
@@ -48,6 +48,12 @@ p.panel{
 }
 
 .panel.profile-bio{
-    margin-top: 0;
+    margin-top: 1.5em;
     text-wrap: wrap;
+    text-align: center;
+}
+
+.panel.profile-box{
+    margin: 2em 5%;
+    padding: 0.2em 0;
 }
\ No newline at end of file