Commit 9a7981e0 authored by Marius Burkard's avatar Marius Burkard

- added htmlentities (XSS protection) to form data passed to template, fixes #4902

parent 5309338c
......@@ -287,7 +287,7 @@ class tform_actions {
global $app, $conf;
$app->tpl->setVar("error", "<li>".$app->tform->errorMessage."</li>");
$app->tpl->setVar($this->dataRecord);
$app->tpl->setVar($this->dataRecord, null, true);
$this->onShow();
}
......
......@@ -226,21 +226,26 @@ if (!defined('vlibTemplateClassLoaded')) {
* using the keys as variable names and the values as variable values.
* @param mixed $k key to define variable name
* @param mixed $v variable to assign to $k
* @param bool $encode if set to true use htmlentities on values
* @return boolean true/false
* @access public
*/
public function setVar($k, $v = null)
public function setVar($k, $v = null, $encode = false)
{
global $app;
if (is_array($k)) {
foreach($k as $key => $value){
$key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key);
if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) {
if($encode == true) $value = $app->functions->htmlentities($value);
$this->_vars[$key] = $value;
}
}
} else {
if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) {
if ($this->OPTIONS['CASELESS']) $k = strtolower($k);
if($encode == true) $value = $app->functions->htmlentities($);
$this->_vars[trim($k)] = $v;
} else {
return false;
......
......@@ -70,9 +70,9 @@ class page_action extends tform_actions {
if($this->id > 0){
if($this->dataRecord['master_directive_snippets_id'] > 0){
$is_master = true;
$app->tpl->setVar("name", $this->dataRecord['name']);
$app->tpl->setVar("type", $this->dataRecord['type']);
$app->tpl->setVar("snippet", $this->dataRecord['snippet']);
$app->tpl->setVar("name", $this->dataRecord['name'], true);
$app->tpl->setVar("type", $this->dataRecord['type'], true);
$app->tpl->setVar("snippet", $this->dataRecord['snippet'], true);
}
}
$app->tpl->setVar("is_master", $is_master);
......
......@@ -149,7 +149,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -217,7 +217,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
$datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id);
if(is_array($datalog) && !empty($datalog)){
......
......@@ -204,7 +204,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -124,9 +124,9 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("listname_value", $this->dataRecord["listname"]);
$app->tpl->setVar("domain_value", $this->dataRecord["domain"]);
$app->tpl->setVar("email_value", $this->dataRecord["email"]);
$app->tpl->setVar("listname_value", $this->dataRecord["listname"], true);
$app->tpl->setVar("domain_value", $this->dataRecord["domain"], true);
$app->tpl->setVar("email_value", $this->dataRecord["email"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -121,7 +121,7 @@ class page_action extends tform_actions {
if($this->dataRecord['autoresponder_subject'] == '') {
$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
} else {
$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
}
$app->uses('getconf');
......
......@@ -211,7 +211,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -84,7 +84,7 @@ class page_action extends tform_actions {
if($this->dataRecord['autoresponder_subject'] == '') {
$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
} else {
$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
}
parent::onShowEnd();
......
......@@ -73,7 +73,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -143,22 +143,22 @@ class page_action extends tform_actions {
if ($this->dataRecord['database_name'] != ""){
/* REMOVE the restriction */
$app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix));
$app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix), true);
}
if($this->dataRecord['database_name'] == "") {
$app->tpl->setVar("database_name_prefix", $dbname_prefix);
} else {
$app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']));
$app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']), true);
}
if($this->id > 0) {
//* we are editing a existing record
$edit_disabled = @($_SESSION["s"]["user"]["typ"] == 'admin')? 0 : 1; //* admin can change the database-name
$app->tpl->setVar("edit_disabled", $edit_disabled);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"]);
$app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
$app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"], true);
$app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -118,13 +118,13 @@ class page_action extends tform_actions {
if ($this->dataRecord['database_user'] != ""){
/* REMOVE the restriction */
$app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix));
$app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix), true);
}
if($this->dataRecord['database_user'] == "") {
$app->tpl->setVar("database_user_prefix", $dbuser_prefix);
} else {
$app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']));
$app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']), true);
}
parent::onShowEnd();
......
......@@ -79,13 +79,13 @@ class page_action extends tform_actions {
if ($this->dataRecord['username'] != ""){
/* REMOVE the restriction */
$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix));
$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix), true);
}
if($this->dataRecord['username'] == "") {
$app->tpl->setVar("username_prefix", $ftpuser_prefix);
} else {
$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']));
$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']), true);
}
parent::onShowEnd();
......
......@@ -79,19 +79,19 @@ class page_action extends tform_actions {
if ($this->dataRecord['username'] != ""){
/* REMOVE the restriction */
$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix));
$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix), true);
}
if($this->dataRecord['username'] == "") {
$app->tpl->setVar("username_prefix", $shelluser_prefix);
} else {
$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']));
$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']), true);
}
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -144,7 +144,7 @@ class page_action extends tform_actions {
$this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]);
}
}
if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"]);
if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true);
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
......
......@@ -761,8 +761,8 @@ class page_action extends tform_actions {
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar('fixed_folder', 'y');
if($this->_vhostdomain_type == 'domain') {
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("document_root", $this->dataRecord["document_root"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
$app->tpl->setVar("document_root", $this->dataRecord["document_root"], true);
}
else $app->tpl->setVar('server_id_value', $parent_domain['server_id']);
} else {
......@@ -820,7 +820,7 @@ class page_action extends tform_actions {
if($this->dataRecord["type"] == 'vhostsubdomain') $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]);
}
if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"]);
if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true);
// check for configuration errors in sys_datalog
if($this->id > 0) {
......
......@@ -78,19 +78,19 @@ class page_action extends tform_actions {
if ($this->dataRecord['username'] != "") {
/* REMOVE the restriction */
$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix));
$app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix), true);
}
if($this->dataRecord['username'] == "") {
$app->tpl->setVar("username_prefix", $webdavuser_prefix);
} else {
$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']));
$app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']), true);
}
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
$app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
......@@ -198,8 +198,8 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
$app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"]);
$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
$app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment