From 6ba57c39271cdfb0e7850ff3dcaa5b7513da06be Mon Sep 17 00:00:00 2001
From: Martin <mki@kies-media.de>
Date: Tue, 26 May 2026 12:47:47 +0200
Subject: [PATCH] =?UTF-8?q?Code-Review:=20Path-Traversal-Fix,=20toten=20Co?=
 =?UTF-8?q?de=20entfernt=20(formatClock,=20data.error=20Check),=20Emoji-Li?=
 =?UTF-8?q?teral=20korrigiert,=20Einr=C3=BCckung=20fix?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 index.html |  2 +-
 js/app.js  | 17 ++---------------
 server.py  | 10 +++++++---
 3 files changed, 10 insertions(+), 19 deletions(-)

diff --git a/index.html b/index.html
index 6802537..7f46b34 100644
--- a/index.html
+++ b/index.html
@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>🏆 Lara Kiesewetter – Live Schachturnier</title>
-        <link rel="stylesheet" href="https://unpkg.com/@chrisoakman/chessboardjs@1.0.0/dist/chessboard-1.0.0.min.css">
+    <link rel="stylesheet" href="https://unpkg.com/@chrisoakman/chessboardjs@1.0.0/dist/chessboard-1.0.0.min.css">
     <link rel="stylesheet" href="style.css">
 </head>
 <body>
diff --git a/js/app.js b/js/app.js
index 243b2e6..19b0371 100644
--- a/js/app.js
+++ b/js/app.js
@@ -334,8 +334,8 @@ function updateClocks(moveIndex) {
     const laraClock = laraIsWhite ? whiteClock : blackClock;
     const oppClock = laraIsWhite ? blackClock : whiteClock;
 
-    document.getElementById('black-clock').textContent = formatClock(oppClock);
-    document.getElementById('white-clock').textContent = formatClock(laraClock);
+    document.getElementById('black-clock').textContent = oppClock || '--:--:--';
+    document.getElementById('white-clock').textContent = laraClock || '--:--:--';
 }
 
 /**
@@ -568,10 +568,6 @@ async function updateStandings() {
                     round: currentRound,
                 };
                 const container = document.getElementById('standings-content');
-                if (!data || data.error) {
-                    container.innerHTML = '<div class="standings-loading">Daten nicht verfügbar</div>';
-                    return;
-                }
                 container.innerHTML = `
                     <div class="standings-rank">${data.rank}.</div>
                     <div class="standings-rank-label">Tabellenplatz</div>
@@ -602,15 +598,6 @@ async function updateStandings() {
     }
 }
 
-/**
- * Format clock string
- */
-function formatClock(clockStr) {
-    if (!clockStr) return '--:--:--';
-    // Format is HH:MM:SS
-    return clockStr;
-}
-
 /**
  * Update timestamp
  */
diff --git a/server.py b/server.py
index 1c67fc8..5a6f366 100644
--- a/server.py
+++ b/server.py
@@ -199,7 +199,11 @@ class Handler(http.server.BaseHTTPRequestHandler):
         if self.path == "/":
             self.path = "/index.html"
 
-        filepath = os.path.join(BASE_DIR, self.path.lstrip("/"))
+        filepath = os.path.normpath(os.path.join(BASE_DIR, self.path.lstrip("/")))
+        if not filepath.startswith(BASE_DIR):
+            self.send_response(403)
+            self.end_headers()
+            return
 
         if os.path.isfile(filepath):
             content_types = {
@@ -309,7 +313,7 @@ class Handler(http.server.BaseHTTPRequestHandler):
 
 def main():
     print("=" * 50)
-    print("  [TROPHY] Lara Kiesewetter - Live Schachturnier")
+    print("  Lara Kiesewetter - Live Schachturnier")
     print("=" * 50)
     print(f"  Server laeuft auf: http://localhost:{PORT}")
     if os.path.exists(STOCKFISH_PATH) or STOCKFISH_PATH == "stockfish":
@@ -321,7 +325,7 @@ def main():
 
     socketserver.ThreadingTCPServer.allow_reuse_address = True
     with socketserver.ThreadingTCPServer(("", PORT), Handler) as httpd:
-        print(f"\n[SERVER] Server gestartet: http://localhost:{PORT}\n")
+        print(f"\n[SERVER] Bereit für Anfragen\n")
         try:
             httpd.serve_forever()
         except KeyboardInterrupt: