From 9a7981e01e0fd9e248e22ccf44c2339c2f9c7077 Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Mon, 1 Jan 2018 11:35:56 +0100 Subject: [PATCH] - added htmlentities (XSS protection) to form data passed to template, fixes #4902 --- interface/lib/classes/tform_actions.inc.php | 2 +- interface/lib/classes/tpl.inc.php | 7 ++++++- interface/web/admin/directive_snippets_edit.php | 6 +++--- interface/web/dns/dns_slave_edit.php | 2 +- interface/web/dns/dns_soa_edit.php | 2 +- interface/web/mail/mail_domain_edit.php | 2 +- interface/web/mail/mail_mailinglist_edit.php | 6 +++--- interface/web/mail/mail_user_edit.php | 2 +- interface/web/mail/xmpp_domain_edit.php | 2 +- .../web/mailuser/mail_user_autoresponder_edit.php | 2 +- interface/web/sites/cron_edit.php | 2 +- interface/web/sites/database_edit.php | 10 +++++----- interface/web/sites/database_user_edit.php | 4 ++-- interface/web/sites/ftp_user_edit.php | 4 ++-- interface/web/sites/shell_user_edit.php | 6 +++--- interface/web/sites/web_childdomain_edit.php | 2 +- interface/web/sites/web_vhost_domain_edit.php | 6 +++--- interface/web/sites/webdav_user_edit.php | 6 +++--- interface/web/vm/openvz_vm_edit.php | 4 ++-- 19 files changed, 41 insertions(+), 36 deletions(-) diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php index e0ff25145..f277c5127 100644 --- a/interface/lib/classes/tform_actions.inc.php +++ b/interface/lib/classes/tform_actions.inc.php @@ -287,7 +287,7 @@ class tform_actions { global $app, $conf; $app->tpl->setVar("error", "
  • ".$app->tform->errorMessage."
    • "); - $app->tpl->setVar($this->dataRecord); + $app->tpl->setVar($this->dataRecord, null, true); $this->onShow(); } diff --git a/interface/lib/classes/tpl.inc.php b/interface/lib/classes/tpl.inc.php index 2104cf61a..37814cd0c 100644 --- a/interface/lib/classes/tpl.inc.php +++ b/interface/lib/classes/tpl.inc.php @@ -226,21 +226,26 @@ if (!defined('vlibTemplateClassLoaded')) { * using the keys as variable names and the values as variable values. * @param mixed $k key to define variable name * @param mixed $v variable to assign to $k + * @param bool $encode if set to true use htmlentities on values * @return boolean true/false * @access public */ - public function setVar($k, $v = null) + public function setVar($k, $v = null, $encode = false) { + global $app; + if (is_array($k)) { foreach($k as $key => $value){ $key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key); if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) { + if($encode == true) $value = $app->functions->htmlentities($value); $this->_vars[$key] = $value; } } } else { if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) { if ($this->OPTIONS['CASELESS']) $k = strtolower($k); + if($encode == true) $value = $app->functions->htmlentities($); $this->_vars[trim($k)] = $v; } else { return false; diff --git a/interface/web/admin/directive_snippets_edit.php b/interface/web/admin/directive_snippets_edit.php index de803581e..b12da0a79 100644 --- a/interface/web/admin/directive_snippets_edit.php +++ b/interface/web/admin/directive_snippets_edit.php @@ -70,9 +70,9 @@ class page_action extends tform_actions { if($this->id > 0){ if($this->dataRecord['master_directive_snippets_id'] > 0){ $is_master = true; - $app->tpl->setVar("name", $this->dataRecord['name']); - $app->tpl->setVar("type", $this->dataRecord['type']); - $app->tpl->setVar("snippet", $this->dataRecord['snippet']); + $app->tpl->setVar("name", $this->dataRecord['name'], true); + $app->tpl->setVar("type", $this->dataRecord['type'], true); + $app->tpl->setVar("snippet", $this->dataRecord['snippet'], true); } } $app->tpl->setVar("is_master", $is_master); diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php index 4d588ef8e..289ef2ab3 100644 --- a/interface/web/dns/dns_slave_edit.php +++ b/interface/web/dns/dns_slave_edit.php @@ -149,7 +149,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php index 6faefac39..8764301c1 100644 --- a/interface/web/dns/dns_soa_edit.php +++ b/interface/web/dns/dns_soa_edit.php @@ -217,7 +217,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); $datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id); if(is_array($datalog) && !empty($datalog)){ diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php index 7565752bd..e648b94c3 100644 --- a/interface/web/mail/mail_domain_edit.php +++ b/interface/web/mail/mail_domain_edit.php @@ -204,7 +204,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php index 141962752..a0c9e0217 100644 --- a/interface/web/mail/mail_mailinglist_edit.php +++ b/interface/web/mail/mail_mailinglist_edit.php @@ -124,9 +124,9 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("listname_value", $this->dataRecord["listname"]); - $app->tpl->setVar("domain_value", $this->dataRecord["domain"]); - $app->tpl->setVar("email_value", $this->dataRecord["email"]); + $app->tpl->setVar("listname_value", $this->dataRecord["listname"], true); + $app->tpl->setVar("domain_value", $this->dataRecord["domain"], true); + $app->tpl->setVar("email_value", $this->dataRecord["email"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php index 87d3be66b..b6e84bf33 100644 --- a/interface/web/mail/mail_user_edit.php +++ b/interface/web/mail/mail_user_edit.php @@ -121,7 +121,7 @@ class page_action extends tform_actions { if($this->dataRecord['autoresponder_subject'] == '') { $app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject')); } else { - $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']); + $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true); } $app->uses('getconf'); diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php index 391320111..499882454 100644 --- a/interface/web/mail/xmpp_domain_edit.php +++ b/interface/web/mail/xmpp_domain_edit.php @@ -211,7 +211,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/mailuser/mail_user_autoresponder_edit.php b/interface/web/mailuser/mail_user_autoresponder_edit.php index 8007c0fd8..d93151bf2 100644 --- a/interface/web/mailuser/mail_user_autoresponder_edit.php +++ b/interface/web/mailuser/mail_user_autoresponder_edit.php @@ -84,7 +84,7 @@ class page_action extends tform_actions { if($this->dataRecord['autoresponder_subject'] == '') { $app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject')); } else { - $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']); + $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true); } parent::onShowEnd(); diff --git a/interface/web/sites/cron_edit.php b/interface/web/sites/cron_edit.php index a8326493c..62f338f33 100644 --- a/interface/web/sites/cron_edit.php +++ b/interface/web/sites/cron_edit.php @@ -73,7 +73,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]); + $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php index 213063ae8..7af4b4351 100644 --- a/interface/web/sites/database_edit.php +++ b/interface/web/sites/database_edit.php @@ -143,22 +143,22 @@ class page_action extends tform_actions { if ($this->dataRecord['database_name'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix)); + $app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix), true); } if($this->dataRecord['database_name'] == "") { $app->tpl->setVar("database_name_prefix", $dbname_prefix); } else { - $app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix'])); + $app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']), true); } if($this->id > 0) { //* we are editing a existing record $edit_disabled = @($_SESSION["s"]["user"]["typ"] == 'admin')? 0 : 1; //* admin can change the database-name $app->tpl->setVar("edit_disabled", $edit_disabled); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); - $app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"]); - $app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); + $app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"], true); + $app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php index e7bfa611a..6f6e887cc 100644 --- a/interface/web/sites/database_user_edit.php +++ b/interface/web/sites/database_user_edit.php @@ -118,13 +118,13 @@ class page_action extends tform_actions { if ($this->dataRecord['database_user'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix)); + $app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix), true); } if($this->dataRecord['database_user'] == "") { $app->tpl->setVar("database_user_prefix", $dbuser_prefix); } else { - $app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix'])); + $app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']), true); } parent::onShowEnd(); diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php index 9de400ce0..a98e44779 100644 --- a/interface/web/sites/ftp_user_edit.php +++ b/interface/web/sites/ftp_user_edit.php @@ -79,13 +79,13 @@ class page_action extends tform_actions { if ($this->dataRecord['username'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix)); + $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix), true); } if($this->dataRecord['username'] == "") { $app->tpl->setVar("username_prefix", $ftpuser_prefix); } else { - $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix'])); + $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']), true); } parent::onShowEnd(); diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php index 77c4509b4..2f0a02989 100644 --- a/interface/web/sites/shell_user_edit.php +++ b/interface/web/sites/shell_user_edit.php @@ -79,19 +79,19 @@ class page_action extends tform_actions { if ($this->dataRecord['username'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix)); + $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix), true); } if($this->dataRecord['username'] == "") { $app->tpl->setVar("username_prefix", $shelluser_prefix); } else { - $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix'])); + $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']), true); } if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]); + $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/sites/web_childdomain_edit.php b/interface/web/sites/web_childdomain_edit.php index 6ef98f901..622d0d079 100644 --- a/interface/web/sites/web_childdomain_edit.php +++ b/interface/web/sites/web_childdomain_edit.php @@ -144,7 +144,7 @@ class page_action extends tform_actions { $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]); } } - if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"]); + if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true); $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) { diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php index 023f8db0c..f04dc019e 100644 --- a/interface/web/sites/web_vhost_domain_edit.php +++ b/interface/web/sites/web_vhost_domain_edit.php @@ -761,8 +761,8 @@ class page_action extends tform_actions { $app->tpl->setVar("edit_disabled", 1); $app->tpl->setVar('fixed_folder', 'y'); if($this->_vhostdomain_type == 'domain') { - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); - $app->tpl->setVar("document_root", $this->dataRecord["document_root"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); + $app->tpl->setVar("document_root", $this->dataRecord["document_root"], true); } else $app->tpl->setVar('server_id_value', $parent_domain['server_id']); } else { @@ -820,7 +820,7 @@ class page_action extends tform_actions { if($this->dataRecord["type"] == 'vhostsubdomain') $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]); } - if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"]); + if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true); // check for configuration errors in sys_datalog if($this->id > 0) { diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php index 73e47eb7a..e94625fd9 100644 --- a/interface/web/sites/webdav_user_edit.php +++ b/interface/web/sites/webdav_user_edit.php @@ -78,19 +78,19 @@ class page_action extends tform_actions { if ($this->dataRecord['username'] != "") { /* REMOVE the restriction */ - $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix)); + $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix), true); } if($this->dataRecord['username'] == "") { $app->tpl->setVar("username_prefix", $webdavuser_prefix); } else { - $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix'])); + $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']), true); } if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]); + $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php index 2a5b12f3d..8109859ec 100644 --- a/interface/web/vm/openvz_vm_edit.php +++ b/interface/web/vm/openvz_vm_edit.php @@ -198,8 +198,8 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); - $app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); + $app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } -- GitLab