From a324af77eac68259b7ab05db61546b4a2db2730e Mon Sep 17 00:00:00 2001 From: Marius Burkard Date: Mon, 1 Jan 2018 18:47:47 +0100 Subject: [PATCH] - fixed further (potential) XSS issues in forms --- interface/web/admin/firewall_edit.php | 2 +- interface/web/admin/server_edit.php | 2 +- interface/web/admin/server_ip_map_edit.php | 4 +- .../web/client/message_template_edit.php | 2 +- interface/web/dns/dns_dkim_edit.php | 6 +- interface/web/dns/dns_dmarc_edit.php | 12 ++-- interface/web/dns/dns_slave_edit.php | 2 +- interface/web/dns/dns_soa_edit.php | 6 +- interface/web/dns/dns_spf_edit.php | 2 +- interface/web/mail/mail_alias_edit.php | 2 +- interface/web/mail/mail_aliasdomain_edit.php | 4 +- .../web/mail/mail_domain_catchall_edit.php | 2 +- interface/web/mail/mail_domain_edit.php | 16 ++--- interface/web/mail/mail_forward_edit.php | 2 +- interface/web/mail/mail_mailinglist_edit.php | 2 +- interface/web/mail/mail_spamfilter_edit.php | 2 +- interface/web/mail/mail_transport_edit.php | 3 +- interface/web/mail/mail_user_edit.php | 4 +- interface/web/mail/xmpp_domain_edit.php | 4 +- interface/web/mail/xmpp_user_edit.php | 2 +- interface/web/mailuser/mail_user_cc_edit.php | 2 +- .../web/mailuser/mail_user_password_edit.php | 2 +- .../mailuser/mail_user_spamfilter_edit.php | 4 +- interface/web/sites/database_edit.php | 6 +- interface/web/sites/database_user_edit.php | 2 +- interface/web/sites/ftp_user_edit.php | 2 +- interface/web/sites/shell_user_edit.php | 2 +- interface/web/sites/web_childdomain_edit.php | 8 +-- interface/web/sites/web_vhost_domain_edit.php | 66 +++++++++---------- interface/web/sites/webdav_user_edit.php | 2 +- interface/web/vm/openvz_vm_edit.php | 14 ++-- 31 files changed, 96 insertions(+), 95 deletions(-) diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php index 4ee72aa95..01cad2b81 100644 --- a/interface/web/admin/firewall_edit.php +++ b/interface/web/admin/firewall_edit.php @@ -57,7 +57,7 @@ class page_action extends tform_actions { if($this->id ==0) { //* new record $server_list = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id NOT IN (SELECT server_id FROM firewall) ORDER BY server_name"); if(is_array($server_list)) { - foreach( $server_list as $server) $server_select .= "\r\n"; + foreach( $server_list as $server) $server_select .= "\r\n"; } $app->tpl->setVar('server_id', $server_select); } diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php index 5b446c049..b146d8f29 100644 --- a/interface/web/admin/server_edit.php +++ b/interface/web/admin/server_edit.php @@ -61,7 +61,7 @@ class page_action extends tform_actions { if(is_array($mirror_servers)) { foreach( $mirror_servers as $mirror_server) { $selected = ($mirror_server["server_id"] == $this->dataRecord['mirror_server_id'])?'SELECTED':''; - $mirror_server_select .= "\r\n"; + $mirror_server_select .= "\r\n"; } } $app->tpl->setVar("mirror_server_id", $mirror_server_select); diff --git a/interface/web/admin/server_ip_map_edit.php b/interface/web/admin/server_ip_map_edit.php index 444228713..b51886730 100644 --- a/interface/web/admin/server_ip_map_edit.php +++ b/interface/web/admin/server_ip_map_edit.php @@ -52,7 +52,7 @@ class page_action extends tform_actions { if(is_array($servers)) { foreach($servers as $server) { $selected = ($server['server_id'] == $this->dataRecord['server_id'])?'SELECTED':''; - $server_select .= "\r\n"; + $server_select .= "\r\n"; } } unset($servers); @@ -65,7 +65,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip['ip_address'] == $this->dataRecord['source_ip'])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } unset($ips); diff --git a/interface/web/client/message_template_edit.php b/interface/web/client/message_template_edit.php index 7d285ac7e..1c11ff895 100644 --- a/interface/web/client/message_template_edit.php +++ b/interface/web/client/message_template_edit.php @@ -80,7 +80,7 @@ class page_action extends tform_actions { if($field_name['Field'] == 'gender'){ $message_variables .= '{salutation} '; } else { - $message_variables .= '{'.$field_name['Field'].'} '; + $message_variables .= '{'.$app->functions->htmlentities($field_name['Field']).'} '; } } } diff --git a/interface/web/dns/dns_dkim_edit.php b/interface/web/dns/dns_dkim_edit.php index 7f7e6856d..35bac0d0c 100644 --- a/interface/web/dns/dns_dkim_edit.php +++ b/interface/web/dns/dns_dkim_edit.php @@ -76,8 +76,8 @@ class page_action extends tform_actions { if(isset($sql['domain']) && $sql['domain'] != '') { if($sql['dkim'] == 'y') { $public_key=str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$sql['dkim_public']); - $app->tpl->setVar('public_key', $public_key); - $app->tpl->setVar('selector', $sql['dkim_selector']); + $app->tpl->setVar('public_key', $public_key, true); + $app->tpl->setVar('selector', $sql['dkim_selector'], true); } else { //TODO: show warning - use mail_domain for dkim and enabled dkim } @@ -85,7 +85,7 @@ class page_action extends tform_actions { } else { $app->tpl->setVar('edit_disabled', 0); } - $app->tpl->setVar('name', $soa['origin']); + $app->tpl->setVar('name', $soa['origin'], true); } diff --git a/interface/web/dns/dns_dmarc_edit.php b/interface/web/dns/dns_dmarc_edit.php index c806c7c20..7f915074d 100644 --- a/interface/web/dns/dns_dmarc_edit.php +++ b/interface/web/dns/dns_dmarc_edit.php @@ -93,7 +93,7 @@ class page_action extends tform_actions { if ( isset($rec) && !empty($rec) ) { $this->id = 1; $old_data = strtolower($rec['data']); - $app->tpl->setVar("data", $old_data); + $app->tpl->setVar("data", $old_data, true); if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED"); $dmarc_rua = ''; $dmarc_ruf = ''; @@ -123,7 +123,7 @@ class page_action extends tform_actions { } //set html-values - $app->tpl->setVar('domain', $domain_name); + $app->tpl->setVar('domain', $domain_name, true); //create dmarc-policy-list $dmarc_policy_value = array( @@ -138,9 +138,9 @@ class page_action extends tform_actions { } $app->tpl->setVar('dmarc_policy', $dmarc_policy_list); - if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua); + if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua, true); - if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf); + if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf, true); //set dmarc-fo-options if (isset($dmarc_fo)) { @@ -178,9 +178,9 @@ class page_action extends tform_actions { if ( strpos($dmarc_rf, 'afrf') !== false ) $app->tpl->setVar("dmarc_rf_afrf", 'CHECKED'); if ( strpos($dmarc_rf, 'iodef') !== false ) $app->tpl->setVar("dmarc_rf_iodef", 'CHECKED'); - $app->tpl->setVar("dmarc_pct", $dmarc_pct); + $app->tpl->setVar("dmarc_pct", $dmarc_pct, true); - $app->tpl->setVar("dmarc_ri", $dmarc_ri); + $app->tpl->setVar("dmarc_ri", $dmarc_ri, true); //create dmarc-sp-list $dmarc_sp_value = array( diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php index 289ef2ab3..117b101b8 100644 --- a/interface/web/dns/dns_slave_edit.php +++ b/interface/web/dns/dns_slave_edit.php @@ -132,7 +132,7 @@ class page_action extends tform_actions { if ($domain['domain'].'.' == $this->dataRecord["origin"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".\r\n"; } } else { diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php index 8764301c1..9b36daee1 100644 --- a/interface/web/dns/dns_soa_edit.php +++ b/interface/web/dns/dns_soa_edit.php @@ -179,7 +179,7 @@ class page_action extends tform_actions { $options_dns_servers = ""; foreach ($dns_servers as $dns_server) { - $options_dns_servers .= ''; + $options_dns_servers .= ''; } $app->tpl->setVar("client_server_id", $options_dns_servers); @@ -200,7 +200,7 @@ class page_action extends tform_actions { if ($domain['domain'].'.' == $this->dataRecord["origin"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".\r\n"; } } else { @@ -222,7 +222,7 @@ class page_action extends tform_actions { $datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id); if(is_array($datalog) && !empty($datalog)){ if(trim($datalog['error']) != ''){ - $app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error']))); + $app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error']))); $app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp'])); } } diff --git a/interface/web/dns/dns_spf_edit.php b/interface/web/dns/dns_spf_edit.php index 6fb11a302..94096662a 100644 --- a/interface/web/dns/dns_spf_edit.php +++ b/interface/web/dns/dns_spf_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { $this->id = 1; $old_data = strtolower($rec['data']); - $app->tpl->setVar("data", $old_data); + $app->tpl->setVar("data", $old_data, true); if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED"); $spf_hostname = ''; diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php index 4292f8f4c..eb7ff4b4d 100644 --- a/interface/web/mail/mail_alias_edit.php +++ b/interface/web/mail/mail_alias_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_aliasdomain_edit.php b/interface/web/mail/mail_aliasdomain_edit.php index 918a5f3a0..ef3b16275 100644 --- a/interface/web/mail/mail_aliasdomain_edit.php +++ b/interface/web/mail/mail_aliasdomain_edit.php @@ -82,9 +82,9 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$source_domain)?'SELECTED':''; - $source_select .= "\r\n"; + $source_select .= "\r\n"; $selected = ($domain["domain"] == @$destination_domain)?'SELECTED':''; - $destination_select .= "\r\n"; + $destination_select .= "\r\n"; } } $app->tpl->setVar("source_domain", $source_select); diff --git a/interface/web/mail/mail_domain_catchall_edit.php b/interface/web/mail/mail_domain_catchall_edit.php index 60da619e1..4ef18d45e 100644 --- a/interface/web/mail/mail_domain_catchall_edit.php +++ b/interface/web/mail/mail_domain_catchall_edit.php @@ -82,7 +82,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php index e648b94c3..d7d6ea4c6 100644 --- a/interface/web/mail/mail_domain_edit.php +++ b/interface/web/mail/mail_domain_edit.php @@ -101,7 +101,7 @@ class page_action extends tform_actions { // Set the mailserver to the default server of the client $tmp = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $client['default_mailserver']); - $app->tpl->setVar("server_id", ""); + $app->tpl->setVar("server_id", ""); unset($tmp); if ($settings['use_domain_module'] != 'y') { @@ -142,7 +142,7 @@ class page_action extends tform_actions { $options_mail_servers = ""; foreach ($mail_servers as $mail_server) { - $options_mail_servers .= ''; + $options_mail_servers .= ''; } $app->tpl->setVar("client_server_id", $options_mail_servers); @@ -167,7 +167,7 @@ class page_action extends tform_actions { if ($domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { @@ -193,7 +193,7 @@ class page_action extends tform_actions { if(is_array($policys)) { foreach( $policys as $p) { $selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':''; - $policy_select .= "\r\n"; + $policy_select .= "\r\n"; } } $app->tpl->setVar("policy", $policy_select); @@ -214,10 +214,10 @@ class page_action extends tform_actions { $rec = $app->db->queryOneRecord($sql, $app->functions->intval($_GET['id'])); $dns_key = str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$rec['dkim_public']); $dns_record = $rec['dkim_selector'] . '._domainkey.' . $rec['domain'] . '. 3600 TXT v=DKIM1; t=s; p=' . $dns_key; - $app->tpl->setVar('dkim_selector', $rec['dkim_selector']); - $app->tpl->setVar('dkim_private', $rec['dkim_private']); - $app->tpl->setVar('dkim_public', $rec['dkim_public']); - if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record); + $app->tpl->setVar('dkim_selector', $rec['dkim_selector'], true); + $app->tpl->setVar('dkim_private', $rec['dkim_private'], true); + $app->tpl->setVar('dkim_public', $rec['dkim_public'], true); + if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record, true); parent::onShowEnd(); } diff --git a/interface/web/mail/mail_forward_edit.php b/interface/web/mail/mail_forward_edit.php index 17ce213cb..ee8c5f299 100644 --- a/interface/web/mail/mail_forward_edit.php +++ b/interface/web/mail/mail_forward_edit.php @@ -82,7 +82,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php index a0c9e0217..57d9c77f2 100644 --- a/interface/web/mail/mail_mailinglist_edit.php +++ b/interface/web/mail/mail_mailinglist_edit.php @@ -116,7 +116,7 @@ class page_action extends tform_actions { if(is_array($domains)) { foreach( $domains as $domain) { $selected = ($domain["domain"] == $this->dataRecord["domain"])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("domain_option", $domain_select); diff --git a/interface/web/mail/mail_spamfilter_edit.php b/interface/web/mail/mail_spamfilter_edit.php index 6282a38b0..c47ec8b41 100644 --- a/interface/web/mail/mail_spamfilter_edit.php +++ b/interface/web/mail/mail_spamfilter_edit.php @@ -67,7 +67,7 @@ class page_action extends tform_actions { $domain_select = ''; foreach( $domains as $domain) { $selected = ($domain["domain"] == $email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_transport_edit.php b/interface/web/mail/mail_transport_edit.php index 9707d2fce..65667726a 100644 --- a/interface/web/mail/mail_transport_edit.php +++ b/interface/web/mail/mail_transport_edit.php @@ -70,6 +70,7 @@ class page_action extends tform_actions { function onShowEnd() { global $app, $conf; + $rec = array(); $types = array('smtp' => 'smtp', 'uucp' => 'uucp', 'slow' => 'slow', 'error' => 'error', 'custom' => 'custom', '' => 'null'); $tmp_parts = explode(":", $this->dataRecord["transport"]); if(!empty($this->id) && !stristr($this->dataRecord["transport"], ':')) { @@ -106,7 +107,7 @@ class page_action extends tform_actions { } } $rec["type"] = $type_select; - $app->tpl->setVar($rec); + $app->tpl->setVar($rec, null, true); unset($type); unset($types); diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php index b6e84bf33..dd2c46799 100644 --- a/interface/web/mail/mail_user_edit.php +++ b/interface/web/mail/mail_user_edit.php @@ -84,7 +84,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("email_domain", $domain_select); @@ -100,7 +100,7 @@ class page_action extends tform_actions { if(is_array($policys)) { foreach( $policys as $p) { $selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':''; - $policy_select .= "\r\n"; + $policy_select .= "\r\n"; } } $app->tpl->setVar("policy", $policy_select); diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php index 499882454..a89d27c45 100644 --- a/interface/web/mail/xmpp_domain_edit.php +++ b/interface/web/mail/xmpp_domain_edit.php @@ -165,7 +165,7 @@ class page_action extends tform_actions { $options_xmpp_servers = ""; foreach ($xmpp_servers as $xmpp_server) { - $options_xmpp_servers .= ""; + $options_xmpp_servers .= ""; } $app->tpl->setVar("client_server_id", $options_xmpp_servers); @@ -190,7 +190,7 @@ class page_action extends tform_actions { if ($domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { diff --git a/interface/web/mail/xmpp_user_edit.php b/interface/web/mail/xmpp_user_edit.php index 16d440a9f..188de01ae 100644 --- a/interface/web/mail/xmpp_user_edit.php +++ b/interface/web/mail/xmpp_user_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$jid_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("jid_domain", $domain_select); diff --git a/interface/web/mailuser/mail_user_cc_edit.php b/interface/web/mailuser/mail_user_cc_edit.php index 39e5bdf6f..778be781e 100644 --- a/interface/web/mailuser/mail_user_cc_edit.php +++ b/interface/web/mailuser/mail_user_cc_edit.php @@ -75,7 +75,7 @@ class page_action extends tform_actions { global $app, $conf; $rec = $app->tform->getDataRecord($this->id); - $app->tpl->setVar("email", $rec['email']); + $app->tpl->setVar("email", $rec['email'], true); parent::onShowEnd(); } diff --git a/interface/web/mailuser/mail_user_password_edit.php b/interface/web/mailuser/mail_user_password_edit.php index 07a19259e..5c5706177 100644 --- a/interface/web/mailuser/mail_user_password_edit.php +++ b/interface/web/mailuser/mail_user_password_edit.php @@ -63,7 +63,7 @@ class page_action extends tform_actions { global $app, $conf; $rec = $app->tform->getDataRecord($_SESSION['s']['user']['mailuser_id']); - $app->tpl->setVar("email", $rec['email']); + $app->tpl->setVar("email", $rec['email'], true); parent::onShowEnd(); } diff --git a/interface/web/mailuser/mail_user_spamfilter_edit.php b/interface/web/mailuser/mail_user_spamfilter_edit.php index 9d3735672..abbea2193 100644 --- a/interface/web/mailuser/mail_user_spamfilter_edit.php +++ b/interface/web/mailuser/mail_user_spamfilter_edit.php @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; $rec = $app->tform->getDataRecord($this->id); - $app->tpl->setVar("email", $rec['email']); + $app->tpl->setVar("email", $rec['email'], true); // Get the spamfilter policys for the user $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = ?", $rec['email']); @@ -122,7 +122,7 @@ class page_action extends tform_actions { if(is_array($policys)) { foreach( $policys as $p) { $selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':''; - $policy_select .= "\r\n"; + $policy_select .= "\r\n"; } } $app->tpl->setVar("policy", $policy_select); diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php index 7af4b4351..71e5acaf2 100644 --- a/interface/web/sites/database_edit.php +++ b/interface/web/sites/database_edit.php @@ -89,7 +89,7 @@ class page_action extends tform_actions { } foreach ($tmp as $db_server) { - $options_db_servers .= ''; + $options_db_servers .= ''; } $app->tpl->setVar("server_id", $options_db_servers); @@ -112,7 +112,7 @@ class page_action extends tform_actions { } foreach ($tmp as $db_server) { - $options_db_servers .= ''; + $options_db_servers .= ''; } $app->tpl->setVar("server_id", $options_db_servers); @@ -147,7 +147,7 @@ class page_action extends tform_actions { } if($this->dataRecord['database_name'] == "") { - $app->tpl->setVar("database_name_prefix", $dbname_prefix); + $app->tpl->setVar("database_name_prefix", $dbname_prefix, true); } else { $app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']), true); } diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php index 6f6e887cc..07fa1315f 100644 --- a/interface/web/sites/database_user_edit.php +++ b/interface/web/sites/database_user_edit.php @@ -122,7 +122,7 @@ class page_action extends tform_actions { } if($this->dataRecord['database_user'] == "") { - $app->tpl->setVar("database_user_prefix", $dbuser_prefix); + $app->tpl->setVar("database_user_prefix", $dbuser_prefix, true); } else { $app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']), true); } diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php index a98e44779..7fab1e227 100644 --- a/interface/web/sites/ftp_user_edit.php +++ b/interface/web/sites/ftp_user_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { } if($this->dataRecord['username'] == "") { - $app->tpl->setVar("username_prefix", $ftpuser_prefix); + $app->tpl->setVar("username_prefix", $ftpuser_prefix, true); } else { $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']), true); } diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php index 2f0a02989..7f74d893f 100644 --- a/interface/web/sites/shell_user_edit.php +++ b/interface/web/sites/shell_user_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { } if($this->dataRecord['username'] == "") { - $app->tpl->setVar("username_prefix", $shelluser_prefix); + $app->tpl->setVar("username_prefix", $shelluser_prefix, true); } else { $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']), true); } diff --git a/interface/web/sites/web_childdomain_edit.php b/interface/web/sites/web_childdomain_edit.php index 622d0d079..2da58a466 100644 --- a/interface/web/sites/web_childdomain_edit.php +++ b/interface/web/sites/web_childdomain_edit.php @@ -87,7 +87,7 @@ class page_action extends tform_actions { } } - $app->tpl->setVar('childdomain_type', $this->_childdomain_type); + $app->tpl->setVar('childdomain_type', $this->_childdomain_type, true); parent::onShowNew(); } @@ -118,7 +118,7 @@ class page_action extends tform_actions { } elseif($this->_childdomain_type == 'aliasdomain' && $domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { @@ -159,7 +159,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt = ''; if(is_array($proxy_directive_snippets) && !empty($proxy_directive_snippets)){ foreach($proxy_directive_snippets as $proxy_directive_snippet){ - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].'] '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).'] '; } } if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------'; @@ -167,7 +167,7 @@ class page_action extends tform_actions { $app->tpl->setVar('limit_ssl_letsencrypt', 'y'); } - $app->tpl->setVar('childdomain_type', $this->_childdomain_type); + $app->tpl->setVar('childdomain_type', $this->_childdomain_type, true); parent::onShowEnd(); diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php index f04dc019e..52771819c 100644 --- a/interface/web/sites/web_vhost_domain_edit.php +++ b/interface/web/sites/web_vhost_domain_edit.php @@ -115,7 +115,7 @@ class page_action extends tform_actions { $client = $app->db->queryOneRecord("SELECT client.web_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $web_servers = explode(',', $client['web_servers']); $server_id = $web_servers[0]; - $app->tpl->setVar("server_id_value", $server_id); + $app->tpl->setVar("server_id_value", $server_id, true); unset($web_servers); } else { $settings = $app->getconf->get_global_config('sites'); @@ -130,7 +130,7 @@ class page_action extends tform_actions { $app->tform->formDef['tabs']['domain']['fields']['php']['default'] = $web_config['php_handler']; $app->tform->formDef['tabs']['domain']['readonly'] = false; - $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type); + $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type, true); parent::onShowNew(); } @@ -179,7 +179,7 @@ class page_action extends tform_actions { $options_web_servers = ""; foreach ($web_servers as $web_server) { - $options_web_servers .= ''; + $options_web_servers .= ''; } $app->tpl->setVar("server_id", $options_web_servers); @@ -214,7 +214,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -230,7 +230,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ipv6_address", $ip_select); @@ -266,7 +266,7 @@ class page_action extends tform_actions { $php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir']; } $selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':''; - $php_select .= "\r\n"; + $php_select .= "\r\n"; } } $app->tpl->setVar("fastcgi_php_version", $php_select); @@ -306,7 +306,7 @@ class page_action extends tform_actions { $options_web_servers = ""; foreach ($web_servers as $web_server) { - $options_web_servers .= ''; + $options_web_servers .= ''; } $app->tpl->setVar("server_id", $options_web_servers); @@ -361,7 +361,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -376,7 +376,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ipv6_address", $ip_select); @@ -413,7 +413,7 @@ class page_action extends tform_actions { $php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir']; } $selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':''; - $php_select .= "\r\n"; + $php_select .= "\r\n"; } } $app->tpl->setVar("fastcgi_php_version", $php_select); @@ -441,7 +441,7 @@ class page_action extends tform_actions { $php_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($php_directive_snippets as $php_directive_snippet){ $php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL; - $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']     '; + $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']     '; } } if($php_directive_snippets_txt == '') $php_directive_snippets_txt = '------'; @@ -464,7 +464,7 @@ class page_action extends tform_actions { $apache_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($apache_directive_snippets as $apache_directive_snippet){ $apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL; - $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']     '; + $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']     '; } } if($apache_directive_snippets_txt == '') $apache_directive_snippets_txt = '------'; @@ -478,7 +478,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
'; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } $nginx_directive_snippets_txt .= '

'; } @@ -488,7 +488,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } } if($nginx_directive_snippets_txt == '') $nginx_directive_snippets_txt = '------'; @@ -501,7 +501,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
'; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } $proxy_directive_snippets_txt .= '

'; } @@ -511,7 +511,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } } if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------'; @@ -557,7 +557,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -572,7 +572,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ipv6_address", $ip_select); @@ -633,7 +633,7 @@ class page_action extends tform_actions { $php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir']; } $selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':''; - $php_select .= "\r\n"; + $php_select .= "\r\n"; } } $app->tpl->setVar("fastcgi_php_version", $php_select); @@ -648,7 +648,7 @@ class page_action extends tform_actions { $php_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
'; foreach($php_directive_snippets as $php_directive_snippet){ $php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL; - $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']     '; + $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']     '; } $php_directive_snippets_txt .= '

'; } @@ -658,7 +658,7 @@ class page_action extends tform_actions { $php_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($php_directive_snippets as $php_directive_snippet){ $php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL; - $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']     '; + $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']     '; } } if($php_directive_snippets_txt == '') $php_directive_snippets_txt = '------'; @@ -671,7 +671,7 @@ class page_action extends tform_actions { $apache_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
'; foreach($apache_directive_snippets as $apache_directive_snippet){ $apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL; - $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']     '; + $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']     '; } $apache_directive_snippets_txt .= '

'; } @@ -681,7 +681,7 @@ class page_action extends tform_actions { $apache_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($apache_directive_snippets as $apache_directive_snippet){ $apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL; - $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']     '; + $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']     '; } } if($apache_directive_snippets_txt == '') $apache_directive_snippets_txt = '------'; @@ -695,7 +695,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
'; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } $nginx_directive_snippets_txt .= '

'; } @@ -705,7 +705,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } } if($nginx_directive_snippets_txt == '') $nginx_directive_snippets_txt = '------'; @@ -718,7 +718,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
'; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } $proxy_directive_snippets_txt .= '

'; } @@ -728,7 +728,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
'; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } } if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------'; @@ -748,7 +748,7 @@ class page_action extends tform_actions { if(is_array($ssl_domains)) { foreach( $ssl_domains as $ssl_domain) { $selected = ($ssl_domain == $this->dataRecord['ssl_domain'])?'SELECTED':''; - $ssl_domain_select .= "\r\n"; + $ssl_domain_select .= "\r\n"; } } $app->tpl->setVar("ssl_domain", $ssl_domain_select); @@ -798,7 +798,7 @@ class page_action extends tform_actions { } elseif($this->_vhostdomain_type == 'domain' && $domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { @@ -827,13 +827,13 @@ class page_action extends tform_actions { $datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'web_domain' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'domain_id:' . $this->id); if(is_array($datalog) && !empty($datalog)){ if(trim($datalog['error']) != ''){ - $app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error']))); + $app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error']))); $app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp'])); } } } - $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type); + $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type, true); $app->tpl->setVar('is_spdy_enabled', ($web_config['enable_spdy'] === 'y')); $app->tpl->setVar("is_admin", $is_admin); @@ -859,7 +859,7 @@ class page_action extends tform_actions { if(is_array($m_directive_snippets) && !empty($m_directive_snippets)){ $directive_snippets_id_select .= ''; foreach($m_directive_snippets as $m_directive_snippet){ - $directive_snippets_id_select .= ''; + $directive_snippets_id_select .= ''; } $directive_snippets_id_select .= ''; } @@ -868,7 +868,7 @@ class page_action extends tform_actions { if(is_array($directive_snippets) && !empty($directive_snippets)){ $directive_snippets_id_select .= ''; foreach($directive_snippets as $directive_snippet){ - $directive_snippets_id_select .= ''; + $directive_snippets_id_select .= ''; } $directive_snippets_id_select .= ''; } diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php index e94625fd9..e02e0bdaf 100644 --- a/interface/web/sites/webdav_user_edit.php +++ b/interface/web/sites/webdav_user_edit.php @@ -82,7 +82,7 @@ class page_action extends tform_actions { } if($this->dataRecord['username'] == "") { - $app->tpl->setVar("username_prefix", $webdavuser_prefix); + $app->tpl->setVar("username_prefix", $webdavuser_prefix, true); } else { $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']), true); } diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php index 8109859ec..4dd1a551d 100644 --- a/interface/web/vm/openvz_vm_edit.php +++ b/interface/web/vm/openvz_vm_edit.php @@ -86,7 +86,7 @@ class page_action extends tform_actions { if(is_array($records)) { foreach( $records as $rec) { $selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':''; - $template_id_select .= "\r\n"; + $template_id_select .= "\r\n"; } } $app->tpl->setVar("template_id_select", $template_id_select); @@ -109,7 +109,7 @@ class page_action extends tform_actions { if(is_array($records)) { foreach( $records as $rec) { $selected = @(is_array($this->dataRecord) && ($client["groupid"] == $this->dataRecord['client_group_id'] || $client["groupid"] == $this->dataRecord['sys_groupid']))?'SELECTED':''; - $client_select .= "\r\n"; + $client_select .= "\r\n"; } } $app->tpl->setVar("client_group_id", $client_select); @@ -124,7 +124,7 @@ class page_action extends tform_actions { if(is_array($records)) { foreach( $records as $rec) { $selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':''; - $template_id_select .= "\r\n"; + $template_id_select .= "\r\n"; } } $app->tpl->setVar("template_id_select", $template_id_select); @@ -141,7 +141,7 @@ class page_action extends tform_actions { if(is_array($clients)) { foreach( $clients as $client) { $selected = @(is_array($this->dataRecord) && ($client["groupid"] == $this->dataRecord['client_group_id'] || $client["groupid"] == $this->dataRecord['sys_groupid']))?'SELECTED':''; - $client_select .= "\r\n"; + $client_select .= "\r\n"; } } $app->tpl->setVar("client_group_id", $client_select); @@ -153,7 +153,7 @@ class page_action extends tform_actions { $template_id_select=''; foreach( $records as $rec) { $selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':''; - $template_id_select .= "\r\n"; + $template_id_select .= "\r\n"; } } $app->tpl->setVar("template_id_select", $template_id_select); @@ -175,7 +175,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -188,7 +188,7 @@ class page_action extends tform_actions { foreach ($additional_ips as $idx => $rec) { $temp .= ""; $used = @($rec['additional']=='y')?'CHECKED':''; - $temp .= " ".$rec['ip_address']."
"; + $temp .= " ".$app->functions->htmlentities($rec['ip_address'])."
"; } $app->tpl->setVar("additional_ip", $temp); unset($used); -- GitLab