diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php index edbba27c7c2ea6cfaafd82333e74dbf5bc94848d..1cc96e9c2e28a5399040b6c2c2c5b450e5c96a41 100755 --- a/interface/lib/app.inc.php +++ b/interface/lib/app.inc.php @@ -298,14 +298,14 @@ class app { $this->tpl->setVar('phpsessid', session_id()); - $this->tpl->setVar('theme', $_SESSION['s']['theme']); + $this->tpl->setVar('theme', $_SESSION['s']['theme'], true); $this->tpl->setVar('html_content_encoding', $this->_conf['html_content_encoding']); $this->tpl->setVar('delete_confirmation', $this->lng('delete_confirmation')); //print_r($_SESSION); if(isset($_SESSION['s']['module']['name'])) { - $this->tpl->setVar('app_module', $_SESSION['s']['module']['name']); - $this->tpl->setVar('session_module', $_SESSION['s']['module']['name']); + $this->tpl->setVar('app_module', $_SESSION['s']['module']['name'], true); + $this->tpl->setVar('session_module', $_SESSION['s']['module']['name'], true); } if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') { $this->tpl->setVar('is_admin', 1); @@ -315,7 +315,7 @@ class app { } /* Show username */ if(isset($_SESSION['s']['user'])) { - $this->tpl->setVar('cpuser', $_SESSION['s']['user']['username']); + $this->tpl->setVar('cpuser', $_SESSION['s']['user']['username'], true); $this->tpl->setVar('logout_txt', $this->lng('logout_txt')); /* Show search field only for normal users, not mail users */ if(stristr($_SESSION['s']['user']['username'], '@')){ @@ -342,7 +342,7 @@ $app = new app(); // load and enable PHP Intrusion Detection System (PHPIDS) $ids_security_config = $app->getconf->get_security_config('ids'); -if(is_dir(ISPC_CLASS_PATH.'/IDS') && $ids_security_config['ids_enabled'] == 'yes') { +if(is_dir(ISPC_CLASS_PATH.'/IDS') && ($ids_security_config['ids_anon_enabled'] == 'yes' || $ids_security_config['ids_user_enabled'] == 'yes' || $ids_security_config['ids_admin_enabled'] == 'yes')) { $app->uses('ids'); $app->ids->start(); } diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php index e0c003abca71a5d7117dcf360ffd95801b2e289d..948d4e81ff2461fb9fb67393e21d1a383ea1fce6 100644 --- a/interface/lib/classes/db_mysql.inc.php +++ b/interface/lib/classes/db_mysql.inc.php @@ -472,7 +472,7 @@ class db { public function escape($sString) { global $app; if(!is_string($sString) && !is_numeric($sString)) { - $app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_INFO); + $app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_DEBUG); //$sAddMsg = getDebugBacktrace(); $app->log($sAddMsg, LOGLEVEL_DEBUG); $sString = ''; @@ -481,7 +481,7 @@ class db { $cur_encoding = mb_detect_encoding($sString); if($cur_encoding != "UTF-8") { if($cur_encoding != 'ASCII') { - if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO); + if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_DEBUG); if($cur_encoding) $sString = mb_convert_encoding($sString, 'UTF-8', $cur_encoding); else $sString = mb_convert_encoding($sString, 'UTF-8'); } diff --git a/interface/lib/classes/ids.inc.php b/interface/lib/classes/ids.inc.php index ac5cb1912897f0eb0355715c24985092bc4d386a..abdf32b30251543045b0302158378748eba17d8b 100644 --- a/interface/lib/classes/ids.inc.php +++ b/interface/lib/classes/ids.inc.php @@ -118,7 +118,25 @@ class ids { $impact = $ids_result->getImpact(); - if($impact >= $security_config['ids_log_level']) { + // Choose level from security config + if($app->auth->is_admin()) { + // User is admin + $ids_log_level = $security_config['ids_admin_log_level']; + $ids_warn_level = $security_config['ids_admin_warn_level']; + $ids_block_level = $security_config['ids_admin_block_level']; + } elseif(is_array($_SESSION['s']['user']) && $_SESSION['s']['user']['userid'] > 0) { + // User is Client or Reseller + $ids_log_level = $security_config['ids_user_log_level']; + $ids_warn_level = $security_config['ids_user_warn_level']; + $ids_block_level = $security_config['ids_user_block_level']; + } else { + // Not logged in + $ids_log_level = $security_config['ids_anon_log_level']; + $ids_warn_level = $security_config['ids_anon_warn_level']; + $ids_block_level = $security_config['ids_anon_block_level']; + } + + if($impact >= $ids_log_level) { $ids_log = ISPC_ROOT_PATH.'/temp/ids.log'; if(!is_file($ids_log)) touch($ids_log); @@ -132,11 +150,11 @@ class ids { } - if($impact >= $security_config['ids_warn_level']) { + if($impact >= $ids_warn_level) { $app->log("PHP IDS Alert.".$ids_result, 2); } - if($impact >= $security_config['ids_block_level']) { + if($impact >= $ids_block_level) { $app->error("Possible attack detected. This action has been logged.",'', true, 2); } diff --git a/interface/lib/classes/plugin_listview.inc.php b/interface/lib/classes/plugin_listview.inc.php index bc764caefe0dbb144b53d6c87826bad5edb0a637..c9d8340e02e290de97bedba9a4edb530aca6a7b4 100644 --- a/interface/lib/classes/plugin_listview.inc.php +++ b/interface/lib/classes/plugin_listview.inc.php @@ -56,7 +56,7 @@ class plugin_listview extends plugin_base { // $app->listform->listDef["page_params"] = "&id=".$app->tform_actions->id."&next_tab=".$_SESSION["s"]["form"]["tab"]; $app->listform->listDef["page_params"] = "&id=".$this->form->id."&next_tab=".$_SESSION["s"]["form"]["tab"]; $listTpl->setVar('parent_id', $this->form->id); - $listTpl->setVar('theme', $_SESSION['s']['theme']); + $listTpl->setVar('theme', $_SESSION['s']['theme'], true); // Generate the SQL for searching $sql_where = ""; @@ -193,13 +193,13 @@ class plugin_listview extends plugin_base { $listTpl->setVar('phpsessid', session_id()); - $listTpl->setVar('theme', $_SESSION['s']['theme']); + $listTpl->setVar('theme', $_SESSION['s']['theme'], true); $listTpl->setVar('html_content_encoding', $app->_conf['html_content_encoding']); $listTpl->setVar('delete_confirmation', $app->lng('delete_confirmation')); //print_r($_SESSION); if(isset($_SESSION['s']['module']['name'])) { - $listTpl->setVar('app_module', $_SESSION['s']['module']['name']); + $listTpl->setVar('app_module', $_SESSION['s']['module']['name'], true); } if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') { $listTpl->setVar('is_admin', 1); @@ -209,7 +209,7 @@ class plugin_listview extends plugin_base { } /* Show username */ if(isset($_SESSION['s']['user'])) { - $listTpl->setVar('cpuser', $_SESSION['s']['user']['username']); + $listTpl->setVar('cpuser', $_SESSION['s']['user']['username'], true); $listTpl->setVar('logout_txt', $app->lng('logout_txt')); /* Show search field only for normal users, not mail users */ if(stristr($_SESSION['s']['user']['username'], '@')){ diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php index 503bd24eb83db64554010944519b9c79898b6bb1..b28e50322454c93df811dc94a70549d0a23931a2 100644 --- a/interface/lib/classes/tform.inc.php +++ b/interface/lib/classes/tform.inc.php @@ -115,11 +115,18 @@ class tform extends tform_base { // Show the same tab again in case of an error $active_tab = $_SESSION["s"]["form"]["tab"]; } + + if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$active_tab)) { + die('Invalid next tab name.'); + } return $active_tab; } function getCurrentTab() { + if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$_SESSION["s"]["form"]["tab"])) { + die('Invalid current tab name.'); + } return $_SESSION["s"]["form"]["tab"]; } diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php index e0ff25145575407e09e062b40f57e462e99c5c2d..f277c51274f3e8e4f9c5f03814f07367c7a8fcf2 100644 --- a/interface/lib/classes/tform_actions.inc.php +++ b/interface/lib/classes/tform_actions.inc.php @@ -287,7 +287,7 @@ class tform_actions { global $app, $conf; $app->tpl->setVar("error", "
  • ".$app->tform->errorMessage."
    • "); - $app->tpl->setVar($this->dataRecord); + $app->tpl->setVar($this->dataRecord, null, true); $this->onShow(); } diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php index d06072e830c75e9b33e7abe960c3ef69311d1d31..0e839c53d3e5aec2263032a896e81b13aa2369e5 100644 --- a/interface/lib/classes/tform_base.inc.php +++ b/interface/lib/classes/tform_base.inc.php @@ -245,7 +245,7 @@ class tform_base { */ function decode($record, $tab) { global $conf, $app; - if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: $tab)."); + if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: ".$app->functions->htmlentities($tab).")."); return $this->_decode($record, $tab, false); } @@ -416,7 +416,7 @@ class tform_base { $this->action = $action; if(!is_array($this->formDef)) $app->error("No form definition found."); - if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab)."); + if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).")."); /* CSRF PROTECTION */ // generate csrf protection id and key @@ -868,7 +868,7 @@ class tform_base { function encode($record, $tab, $dbencode = true) { global $app; - if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: $tab)."); + if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).")."); return $this->_encode($record, $tab, $dbencode, false); } @@ -1437,7 +1437,7 @@ class tform_base { } if(!is_array($this->formDef)) $app->error("Form definition not found."); - if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab)."); + if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).")."); return $this->_getSQL($record, $tab, $action, $primary_id, $sql_ext_where, false); } diff --git a/interface/lib/classes/tpl.inc.php b/interface/lib/classes/tpl.inc.php index 2104cf61a5f50ea4dbd3e2bd52eb19c496158496..efaf4c072a8ceac226b9fb5d243fdadb4fa0d9f7 100644 --- a/interface/lib/classes/tpl.inc.php +++ b/interface/lib/classes/tpl.inc.php @@ -226,21 +226,26 @@ if (!defined('vlibTemplateClassLoaded')) { * using the keys as variable names and the values as variable values. * @param mixed $k key to define variable name * @param mixed $v variable to assign to $k + * @param bool $encode if set to true use htmlentities on values * @return boolean true/false * @access public */ - public function setVar($k, $v = null) + public function setVar($k, $v = null, $encode = false) { + global $app; + if (is_array($k)) { foreach($k as $key => $value){ $key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key); if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) { + if($encode == true) $value = $app->functions->htmlentities($value); $this->_vars[$key] = $value; } } } else { if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) { if ($this->OPTIONS['CASELESS']) $k = strtolower($k); + if($encode == true) $v = $app->functions->htmlentities($v); $this->_vars[trim($k)] = $v; } else { return false; diff --git a/interface/web/admin/directive_snippets_edit.php b/interface/web/admin/directive_snippets_edit.php index de803581e07d373a23bfce05e490772d041788b4..b12da0a79bf28f000b0c11103db13482557608ad 100644 --- a/interface/web/admin/directive_snippets_edit.php +++ b/interface/web/admin/directive_snippets_edit.php @@ -70,9 +70,9 @@ class page_action extends tform_actions { if($this->id > 0){ if($this->dataRecord['master_directive_snippets_id'] > 0){ $is_master = true; - $app->tpl->setVar("name", $this->dataRecord['name']); - $app->tpl->setVar("type", $this->dataRecord['type']); - $app->tpl->setVar("snippet", $this->dataRecord['snippet']); + $app->tpl->setVar("name", $this->dataRecord['name'], true); + $app->tpl->setVar("type", $this->dataRecord['type'], true); + $app->tpl->setVar("snippet", $this->dataRecord['snippet'], true); } } $app->tpl->setVar("is_master", $is_master); diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php index 4ee72aa954c6baf3302154e359c03b7a70aef261..01cad2b815b1c09775bf0a95ac31b57e01dcefec 100644 --- a/interface/web/admin/firewall_edit.php +++ b/interface/web/admin/firewall_edit.php @@ -57,7 +57,7 @@ class page_action extends tform_actions { if($this->id ==0) { //* new record $server_list = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id NOT IN (SELECT server_id FROM firewall) ORDER BY server_name"); if(is_array($server_list)) { - foreach( $server_list as $server) $server_select .= "\r\n"; + foreach( $server_list as $server) $server_select .= "\r\n"; } $app->tpl->setVar('server_id', $server_select); } diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php index 5b446c0494adea6818d9292e830718c9efd435f6..b146d8f295d991ed6161f59349373a3800561aa0 100644 --- a/interface/web/admin/server_edit.php +++ b/interface/web/admin/server_edit.php @@ -61,7 +61,7 @@ class page_action extends tform_actions { if(is_array($mirror_servers)) { foreach( $mirror_servers as $mirror_server) { $selected = ($mirror_server["server_id"] == $this->dataRecord['mirror_server_id'])?'SELECTED':''; - $mirror_server_select .= "\r\n"; + $mirror_server_select .= "\r\n"; } } $app->tpl->setVar("mirror_server_id", $mirror_server_select); diff --git a/interface/web/admin/server_ip_map_edit.php b/interface/web/admin/server_ip_map_edit.php index 4442287132f6f8c1c9b775b178c9b69dc1297d85..b5188673093184891d15b04dea9e82fed61f6d09 100644 --- a/interface/web/admin/server_ip_map_edit.php +++ b/interface/web/admin/server_ip_map_edit.php @@ -52,7 +52,7 @@ class page_action extends tform_actions { if(is_array($servers)) { foreach($servers as $server) { $selected = ($server['server_id'] == $this->dataRecord['server_id'])?'SELECTED':''; - $server_select .= "\r\n"; + $server_select .= "\r\n"; } } unset($servers); @@ -65,7 +65,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip['ip_address'] == $this->dataRecord['source_ip'])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } unset($ips); diff --git a/interface/web/client/client_del.php b/interface/web/client/client_del.php index 1540bfbfd7528d3f8bb8a5e91a9bc96aa140aa03..8bef6e9d634868439d7d57ff49f8ab78e4341e26 100644 --- a/interface/web/client/client_del.php +++ b/interface/web/client/client_del.php @@ -128,13 +128,12 @@ class page_action extends tform_actions { $app->db->query("DELETE FROM sys_user WHERE client_id = ?", $client_id); // Delete all records (sub-clients, mail, web, etc....) of this client. - $tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_folder,web_folder_user,domain,mail_mailinglist'; + $tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_folder,web_folder_user,domain,mail_mailinglist,spamfilter_wblist'; $tables_array = explode(',', $tables); $client_group_id = $app->functions->intval($client_group['groupid']); if($client_group_id > 1) { foreach($tables_array as $table) { if($table != '') { - $records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ?", $table, $client_group_id); //* find the primary ID of the table $table_info = $app->db->tableInfo($table); $index_field = ''; @@ -143,6 +142,7 @@ class page_action extends tform_actions { } //* Delete the records if($index_field != '') { + $records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ? ORDER BY ?? DESC", $table, $client_group_id, $index_field); if(is_array($records)) { foreach($records as $rec) { $app->db->datalogDelete($table, $index_field, $rec[$index_field]); diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php index eb8bcdbae244e1e5a93958cd2a3f8cabf042ffb6..b4638bd2151ce076df7d96970166e163552d21ea 100644 --- a/interface/web/client/client_message.php +++ b/interface/web/client/client_message.php @@ -114,9 +114,9 @@ if(isset($_POST) && count($_POST) > 1) { } } else { - $app->tpl->setVar('sender', $_POST['sender']); - $app->tpl->setVar('subject', $_POST['subject']); - $app->tpl->setVar('message', $_POST['message']); + $app->tpl->setVar('sender', $_POST['sender'], true); + $app->tpl->setVar('subject', $_POST['subject'], true); + $app->tpl->setVar('message', $_POST['message'], true); } } else { // pre-fill Sender field with reseller's email address diff --git a/interface/web/client/message_template_edit.php b/interface/web/client/message_template_edit.php index 7d285ac7ef86e6bd1f6ee7a379ef21cb24f62e7d..1c11ff89577afc49c921d82646e5749fb342ec1b 100644 --- a/interface/web/client/message_template_edit.php +++ b/interface/web/client/message_template_edit.php @@ -80,7 +80,7 @@ class page_action extends tform_actions { if($field_name['Field'] == 'gender'){ $message_variables .= '{salutation} '; } else { - $message_variables .= '{'.$field_name['Field'].'} '; + $message_variables .= '{'.$app->functions->htmlentities($field_name['Field']).'} '; } } } diff --git a/interface/web/dns/dns_dkim_edit.php b/interface/web/dns/dns_dkim_edit.php index 7f7e6856dbe45c494a3121277bcbb669774519c5..35bac0d0c6254b642fc8a198b28209cb64109f49 100644 --- a/interface/web/dns/dns_dkim_edit.php +++ b/interface/web/dns/dns_dkim_edit.php @@ -76,8 +76,8 @@ class page_action extends tform_actions { if(isset($sql['domain']) && $sql['domain'] != '') { if($sql['dkim'] == 'y') { $public_key=str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$sql['dkim_public']); - $app->tpl->setVar('public_key', $public_key); - $app->tpl->setVar('selector', $sql['dkim_selector']); + $app->tpl->setVar('public_key', $public_key, true); + $app->tpl->setVar('selector', $sql['dkim_selector'], true); } else { //TODO: show warning - use mail_domain for dkim and enabled dkim } @@ -85,7 +85,7 @@ class page_action extends tform_actions { } else { $app->tpl->setVar('edit_disabled', 0); } - $app->tpl->setVar('name', $soa['origin']); + $app->tpl->setVar('name', $soa['origin'], true); } diff --git a/interface/web/dns/dns_dmarc_edit.php b/interface/web/dns/dns_dmarc_edit.php index c806c7c20e4a44c35f4866c3a5b93dc2531b2288..7f915074d75deccbf9f3f62cbb2e75a7b8ab6da2 100644 --- a/interface/web/dns/dns_dmarc_edit.php +++ b/interface/web/dns/dns_dmarc_edit.php @@ -93,7 +93,7 @@ class page_action extends tform_actions { if ( isset($rec) && !empty($rec) ) { $this->id = 1; $old_data = strtolower($rec['data']); - $app->tpl->setVar("data", $old_data); + $app->tpl->setVar("data", $old_data, true); if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED"); $dmarc_rua = ''; $dmarc_ruf = ''; @@ -123,7 +123,7 @@ class page_action extends tform_actions { } //set html-values - $app->tpl->setVar('domain', $domain_name); + $app->tpl->setVar('domain', $domain_name, true); //create dmarc-policy-list $dmarc_policy_value = array( @@ -138,9 +138,9 @@ class page_action extends tform_actions { } $app->tpl->setVar('dmarc_policy', $dmarc_policy_list); - if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua); + if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua, true); - if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf); + if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf, true); //set dmarc-fo-options if (isset($dmarc_fo)) { @@ -178,9 +178,9 @@ class page_action extends tform_actions { if ( strpos($dmarc_rf, 'afrf') !== false ) $app->tpl->setVar("dmarc_rf_afrf", 'CHECKED'); if ( strpos($dmarc_rf, 'iodef') !== false ) $app->tpl->setVar("dmarc_rf_iodef", 'CHECKED'); - $app->tpl->setVar("dmarc_pct", $dmarc_pct); + $app->tpl->setVar("dmarc_pct", $dmarc_pct, true); - $app->tpl->setVar("dmarc_ri", $dmarc_ri); + $app->tpl->setVar("dmarc_ri", $dmarc_ri, true); //create dmarc-sp-list $dmarc_sp_value = array( diff --git a/interface/web/dns/dns_import.php b/interface/web/dns/dns_import.php index fb66b7b176ae6392add54894cab364f0b3d6fbe1..405e437838a4895687790f11fbe5dcd971477560 100644 --- a/interface/web/dns/dns_import.php +++ b/interface/web/dns/dns_import.php @@ -587,6 +587,15 @@ if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name' if($dns_rr[$r]['type'] == 'NS' && $dns_rr[$r]['name'] == $soa['name']){ unset($dns_rr[$r]); } + + $valid = true; + $dns_rr[$r]['ttl'] = $app->functions->intval($dns_rr[$r]['ttl']); + $dns_rr[$r]['aux'] = $app->functions->intval($dns_rr[$r]['aux']); + $dns_rr[$r]['data'] = strip_tags($dns_rr[$r]['data']); + if(!preg_match('/^[a-zA-Z0-9\.\-\*]{0,64}$/',$dns_rr[$r]['name'])) $valid == false; + if(!in_array(strtoupper($dns_rr[$r]['type']),array('A','AAAA','ALIAS','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY'))) $valid == false; + if($valid == false) unset($dns_rr[$r]); + $r++; } $i++; diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php index 4d588ef8e032ab1e0bfd3ae270aacb6bc8292d85..117b101b875de812e10160b1bfe37031164cecb8 100644 --- a/interface/web/dns/dns_slave_edit.php +++ b/interface/web/dns/dns_slave_edit.php @@ -132,7 +132,7 @@ class page_action extends tform_actions { if ($domain['domain'].'.' == $this->dataRecord["origin"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".\r\n"; } } else { @@ -149,7 +149,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php index 6faefac3903ec588d400fa2b8bb48e69a612ac35..9b36daee1500fb07ecf1c8b5f43668be3a063c96 100644 --- a/interface/web/dns/dns_soa_edit.php +++ b/interface/web/dns/dns_soa_edit.php @@ -179,7 +179,7 @@ class page_action extends tform_actions { $options_dns_servers = ""; foreach ($dns_servers as $dns_server) { - $options_dns_servers .= ''; + $options_dns_servers .= ''; } $app->tpl->setVar("client_server_id", $options_dns_servers); @@ -200,7 +200,7 @@ class page_action extends tform_actions { if ($domain['domain'].'.' == $this->dataRecord["origin"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".\r\n"; } } else { @@ -217,12 +217,12 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); $datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id); if(is_array($datalog) && !empty($datalog)){ if(trim($datalog['error']) != ''){ - $app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error']))); + $app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error']))); $app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp'])); } } diff --git a/interface/web/dns/dns_spf_edit.php b/interface/web/dns/dns_spf_edit.php index ca109272d8aa17111c7094c7a5eb05386a0feb7a..94096662a1e8e0af7e0e228d322d0c955076b8f2 100644 --- a/interface/web/dns/dns_spf_edit.php +++ b/interface/web/dns/dns_spf_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { $this->id = 1; $old_data = strtolower($rec['data']); - $app->tpl->setVar("data", $old_data); + $app->tpl->setVar("data", $old_data, true); if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED"); $spf_hostname = ''; @@ -108,9 +108,9 @@ class page_action extends tform_actions { } //set html-values - $app->tpl->setVar("spf_ip", $spf_ip); - $app->tpl->setVar("spf_hostname", $spf_hostname); - $app->tpl->setVar("spf_domain", $spf_domain); + $app->tpl->setVar("spf_ip", $spf_ip, true); + $app->tpl->setVar("spf_hostname", $spf_hostname, true); + $app->tpl->setVar("spf_domain", $spf_domain, true); //create spf-mechanism-list $spf_mechanism_value = array( '+' => 'spf_mechanism_pass_txt', diff --git a/interface/web/dns/dns_srv_edit.php b/interface/web/dns/dns_srv_edit.php index e2b290ab9f1f52a1a3ab3a6786aa5ef5f5b0fdf8..16c1086db3a74452c56a37510a9ef9862739169d 100644 --- a/interface/web/dns/dns_srv_edit.php +++ b/interface/web/dns/dns_srv_edit.php @@ -51,9 +51,9 @@ class page_action extends dns_page_action { // Split the 3 parts of the SRV Record apart $split = explode(' ', $this->dataRecord['data']); - $app->tpl->setVar('weight', $split[0]); - $app->tpl->setVar('port', $split[1]); - $app->tpl->setVar('target', $split[2]); + $app->tpl->setVar('weight', $split[0], true); + $app->tpl->setVar('port', $split[1], true); + $app->tpl->setVar('target', $split[2], true); parent::onShowEnd(); } diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php index 0e955bee09044a9a339b90ea74b631b0ff619db3..32112560a48ba9747f18eee43570acb6c4a96493 100644 --- a/interface/web/dns/dns_wizard.php +++ b/interface/web/dns/dns_wizard.php @@ -183,7 +183,7 @@ if(is_array($fields)) { } else { $app->tpl->setVar($field."_VISIBLE", 1); $field = strtolower($field); - $app->tpl->setVar($field, $_POST[$field]); + $app->tpl->setVar($field, $_POST[$field], true); } } } diff --git a/interface/web/help/faq_delete.php b/interface/web/help/faq_delete.php index e8f36272786fec032bb0d9d23df22a8258b4199a..c1faed60d99afdad537d4447cd009d2f7e49ff50 100644 --- a/interface/web/help/faq_delete.php +++ b/interface/web/help/faq_delete.php @@ -9,10 +9,7 @@ require_once '../../lib/config.inc.php'; require_once '../../lib/app.inc.php'; // Check module permissions -if(!stristr($_SESSION['s']['user']['modules'], 'help')) { - header('Location: ../index.php'); - die; -} +$app->auth->check_module_permissions('admin'); // Load the form $app->uses('tform_actions'); diff --git a/interface/web/help/faq_edit.php b/interface/web/help/faq_edit.php index 629bde88c798f7105ad1b3621ab3cfcfa85fc06f..397f5cccf4233b4a5cefb4485a1f27617d68a1cf 100644 --- a/interface/web/help/faq_edit.php +++ b/interface/web/help/faq_edit.php @@ -8,10 +8,7 @@ require_once '../../lib/config.inc.php'; require_once '../../lib/app.inc.php'; // Check the module permissions and redirect if not allowed. -if(!stristr($_SESSION['s']['user']['modules'], 'help')) { - header('Location: ../index.php'); - die; -} +$app->auth->check_module_permissions('admin'); // Load the templating and form classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/help/faq_list.php b/interface/web/help/faq_list.php index 128480dca2c2573d3dcb630a4a4d0730d00ce640..ed5ffa4fab21103e0bc9026f0466decef1d224dc 100644 --- a/interface/web/help/faq_list.php +++ b/interface/web/help/faq_list.php @@ -7,10 +7,7 @@ require_once '../../lib/app.inc.php'; $list_def_file = 'list/faq_list.php'; // Check the module permissions -if(!stristr($_SESSION['s']['user']['modules'], 'help')) { - header('Location: ../index.php'); - die(); -} +$app->auth->check_module_permissions('help'); // Loading the class $app->uses('listform_actions'); @@ -31,7 +28,7 @@ $app->listform_actions->SQLExtWhere = "help_faq.hf_section = $hf_section"; if($hf_section) $res = $app->db->queryOneRecord("SELECT hfs_name FROM help_faq_sections WHERE hfs_id=?", $hf_section); // Start the form rendering and action ahndling -echo "

    FAQ: ".$res['hfs_name']."

    "; +echo "

    FAQ: ".$app->functions->htmlentities($res['hfs_name'])."

    "; if($hf_section) $app->listform_actions->onLoad(); ?> diff --git a/interface/web/help/faq_manage_questions_list.php b/interface/web/help/faq_manage_questions_list.php index e72824458683f78bd7a2c8323049a5c636931bd3..ae29e752fca36db0737c78171658ab5077dda556 100644 --- a/interface/web/help/faq_manage_questions_list.php +++ b/interface/web/help/faq_manage_questions_list.php @@ -6,7 +6,7 @@ require_once '../../lib/app.inc.php'; $list_def_file = "list/faq_manage_questions_list.php"; //* Check permissions for module -$app->auth->check_module_permissions('help'); +$app->auth->check_module_permissions('admin'); //* Loading the class $app->uses('listform_actions'); diff --git a/interface/web/help/faq_sections_delete.php b/interface/web/help/faq_sections_delete.php index adcacf4376233fe21b53068b89986d736282ae68..865071ff252cc507ef6748322f38cfa341e648d9 100644 --- a/interface/web/help/faq_sections_delete.php +++ b/interface/web/help/faq_sections_delete.php @@ -9,10 +9,7 @@ require_once '../../lib/config.inc.php'; require_once '../../lib/app.inc.php'; // Check module permissions -if(!stristr($_SESSION['s']['user']['modules'], 'help')) { - header('Location: ../index.php'); - die; -} +$app->auth->check_module_permissions('admin'); // Load the form $app->uses('tform_actions'); diff --git a/interface/web/help/faq_sections_edit.php b/interface/web/help/faq_sections_edit.php index 32f0123466c98c6c80235cf4888a459521569afe..f146db8605dd34e9c9980871f4a88923c431c9b5 100644 --- a/interface/web/help/faq_sections_edit.php +++ b/interface/web/help/faq_sections_edit.php @@ -8,10 +8,7 @@ require_once '../../lib/config.inc.php'; require_once '../../lib/app.inc.php'; // Check the module permissions and redirect if not allowed. -if(!stristr($_SESSION['s']['user']['modules'], 'help')) { - header('Location: ../index.php'); - die; -} +$app->auth->check_module_permissions('admin'); // Load the templating and form classes $app->uses('tpl,tform,tform_actions'); diff --git a/interface/web/help/faq_sections_list.php b/interface/web/help/faq_sections_list.php index 4acb4ae20e107942d62815d38d93baa176d39373..7ce9fb0235cba91f44c3930e98b423c0340c1ba2 100644 --- a/interface/web/help/faq_sections_list.php +++ b/interface/web/help/faq_sections_list.php @@ -7,10 +7,7 @@ require_once '../../lib/app.inc.php'; $list_def_file = 'list/faq_sections_list.php'; // Check the module permissions -if(!stristr($_SESSION['s']['user']['modules'], 'help')) { - header('Location: ../index.php'); - die(); -} +$app->auth->check_module_permissions('admin'); // Loading the class $app->uses('listform_actions'); diff --git a/interface/web/help/form/faq.tform.php b/interface/web/help/form/faq.tform.php index e795f3566f034c9f56a2f79f1f221e31b45a2fc2..e440de7e6b87103b3f42e04784192268cf4bb61c 100644 --- a/interface/web/help/form/faq.tform.php +++ b/interface/web/help/form/faq.tform.php @@ -79,6 +79,12 @@ $form['tabs']['message'] = array( 'errmsg'=> 'subject_is_empty' ), ), + 'filters' => array( + 0 => array( 'event' => 'SAVE', + 'type' => 'STRIPTAGS'), + 1 => array( 'event' => 'SAVE', + 'type' => 'STRIPNL') + ), 'default' => '', 'value' => '', 'width' => '30', diff --git a/interface/web/help/templates/help_faq_list.htm b/interface/web/help/templates/help_faq_list.htm index e81dae2e0ba7279ce2c4f5a03203c4e0e04cf15f..28850fe8300e881a6a8407e5e27c516ec48e0ef1 100644 --- a/interface/web/help/templates/help_faq_list.htm +++ b/interface/web/help/templates/help_faq_list.htm @@ -12,5 +12,3 @@
    - - diff --git a/interface/web/index.php b/interface/web/index.php index 4a2103208101e69633d6a18923fc1d81f9137b7e..1bccb1ebe17093938c57fcfadaba577057875ea4 100644 --- a/interface/web/index.php +++ b/interface/web/index.php @@ -41,7 +41,7 @@ if(!isset($_SESSION['s']['module']['name'])) $_SESSION['s']['module']['name'] = $app->uses('tpl'); $app->tpl->newTemplate('main.tpl.htm'); -$app->tpl->setVar('startpage', isset($_SESSION['s']['module']['startpage']) ? $_SESSION['s']['module']['startpage'] : ''); +$app->tpl->setVar('startpage', isset($_SESSION['s']['module']['startpage']) ? $_SESSION['s']['module']['startpage'] : '', true); $app->tpl->setVar('logged_in', ($_SESSION['s']['user']['active'] != 1 ? 'n' : 'y')); // tab change warning? @@ -93,7 +93,7 @@ if(@is_dir($js_d)) { if (!empty($js_d_files)) $app->tpl->setLoop('js_d_includes', $js_d_files); unset($js_d_files); -$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default'); +$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true); // Logo $logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1"); diff --git a/interface/web/login/index.php b/interface/web/login/index.php index bccf4330af9e6dedc0c9328976cddd9ccb5cf361..441de353ca5aa41fff7f7eaf8a96d1f7422be4a3 100644 --- a/interface/web/login/index.php +++ b/interface/web/login/index.php @@ -340,7 +340,7 @@ $app->tpl->setVar('login_button_txt', $app->lng('login_button_txt')); $app->tpl->setVar('session_timeout', $server_config_array['session_timeout']); $app->tpl->setVar('session_allow_endless', $server_config_array['session_allow_endless']); //$app->tpl->setInclude('content_tpl', 'login/templates/index.htm'); -$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default'); +$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true); //die(isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default'); // Logo diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php index c0d454cd326fce1f1e6ae5d72b55bcf5675cfbb2..e6976bff734798d0c5ee59440c161f072465540c 100644 --- a/interface/web/login/password_reset.php +++ b/interface/web/login/password_reset.php @@ -156,7 +156,7 @@ if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != ' if(isset($_POST) && count($_POST) > 0) $app->tpl->setVar("msg", $wb['pw_error_noinput']); } -$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default'); +$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true); // Logo $logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1"); diff --git a/interface/web/mail/form/mail_forward.tform.php b/interface/web/mail/form/mail_forward.tform.php index 260d953982778b81ccc453b926e398f84b52f3e0..3c902b4221f717c456133c748238c8e1d77304cd 100644 --- a/interface/web/mail/form/mail_forward.tform.php +++ b/interface/web/mail/form/mail_forward.tform.php @@ -100,9 +100,7 @@ $form["tabs"]['forward'] = array ( 2 => array( 'event' => 'SAVE', 'type' => 'TOLOWER'), 3 => array( 'event' => 'SAVE', - 'type' => 'STRIPTAGS'), - 4 => array( 'event' => 'SAVE', - 'type' => 'STRIPNL') + 'type' => 'STRIPTAGS') ), 'default' => '', 'value' => '', diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php index 4292f8f4c2e405c45256a8cdf35000c9eefe8f3c..eb7ff4b4d639f34b887ea6f96bfdd5c1b414d2aa 100644 --- a/interface/web/mail/mail_alias_edit.php +++ b/interface/web/mail/mail_alias_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_aliasdomain_edit.php b/interface/web/mail/mail_aliasdomain_edit.php index 918a5f3a05b47a9e3a16a328c030e4d8eaafa35d..ef3b16275c5bf4bf69e5df1de50aa10150cd1d41 100644 --- a/interface/web/mail/mail_aliasdomain_edit.php +++ b/interface/web/mail/mail_aliasdomain_edit.php @@ -82,9 +82,9 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$source_domain)?'SELECTED':''; - $source_select .= "\r\n"; + $source_select .= "\r\n"; $selected = ($domain["domain"] == @$destination_domain)?'SELECTED':''; - $destination_select .= "\r\n"; + $destination_select .= "\r\n"; } } $app->tpl->setVar("source_domain", $source_select); diff --git a/interface/web/mail/mail_domain_catchall_edit.php b/interface/web/mail/mail_domain_catchall_edit.php index 60da619e14363aaaa6903febdb4ec81df3e7ed76..4ef18d45e7c8fee393a5b0666c8e5bf6cf6a1bba 100644 --- a/interface/web/mail/mail_domain_catchall_edit.php +++ b/interface/web/mail/mail_domain_catchall_edit.php @@ -82,7 +82,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php index 7565752bd31c575d38731fe09af55c191ba81c70..d7d6ea4c6862bda5ff179078ae38f8efb3474c28 100644 --- a/interface/web/mail/mail_domain_edit.php +++ b/interface/web/mail/mail_domain_edit.php @@ -101,7 +101,7 @@ class page_action extends tform_actions { // Set the mailserver to the default server of the client $tmp = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $client['default_mailserver']); - $app->tpl->setVar("server_id", ""); + $app->tpl->setVar("server_id", ""); unset($tmp); if ($settings['use_domain_module'] != 'y') { @@ -142,7 +142,7 @@ class page_action extends tform_actions { $options_mail_servers = ""; foreach ($mail_servers as $mail_server) { - $options_mail_servers .= ''; + $options_mail_servers .= ''; } $app->tpl->setVar("client_server_id", $options_mail_servers); @@ -167,7 +167,7 @@ class page_action extends tform_actions { if ($domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { @@ -193,7 +193,7 @@ class page_action extends tform_actions { if(is_array($policys)) { foreach( $policys as $p) { $selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':''; - $policy_select .= "\r\n"; + $policy_select .= "\r\n"; } } $app->tpl->setVar("policy", $policy_select); @@ -204,7 +204,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } @@ -214,10 +214,10 @@ class page_action extends tform_actions { $rec = $app->db->queryOneRecord($sql, $app->functions->intval($_GET['id'])); $dns_key = str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$rec['dkim_public']); $dns_record = $rec['dkim_selector'] . '._domainkey.' . $rec['domain'] . '. 3600 TXT v=DKIM1; t=s; p=' . $dns_key; - $app->tpl->setVar('dkim_selector', $rec['dkim_selector']); - $app->tpl->setVar('dkim_private', $rec['dkim_private']); - $app->tpl->setVar('dkim_public', $rec['dkim_public']); - if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record); + $app->tpl->setVar('dkim_selector', $rec['dkim_selector'], true); + $app->tpl->setVar('dkim_private', $rec['dkim_private'], true); + $app->tpl->setVar('dkim_public', $rec['dkim_public'], true); + if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record, true); parent::onShowEnd(); } diff --git a/interface/web/mail/mail_forward_edit.php b/interface/web/mail/mail_forward_edit.php index 17ce213cb2a31a511bf09173a55493497b0b305f..ee8c5f29971b38bbe2cf27e674496eca68a1bb9a 100644 --- a/interface/web/mail/mail_forward_edit.php +++ b/interface/web/mail/mail_forward_edit.php @@ -82,7 +82,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php index 1419627529253adf23bba5bdfb5f00ba0de749d5..57d9c77f2efe9f01a0f22a51566fe1d034155684 100644 --- a/interface/web/mail/mail_mailinglist_edit.php +++ b/interface/web/mail/mail_mailinglist_edit.php @@ -116,7 +116,7 @@ class page_action extends tform_actions { if(is_array($domains)) { foreach( $domains as $domain) { $selected = ($domain["domain"] == $this->dataRecord["domain"])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("domain_option", $domain_select); @@ -124,9 +124,9 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("listname_value", $this->dataRecord["listname"]); - $app->tpl->setVar("domain_value", $this->dataRecord["domain"]); - $app->tpl->setVar("email_value", $this->dataRecord["email"]); + $app->tpl->setVar("listname_value", $this->dataRecord["listname"], true); + $app->tpl->setVar("domain_value", $this->dataRecord["domain"], true); + $app->tpl->setVar("email_value", $this->dataRecord["email"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/mail/mail_spamfilter_edit.php b/interface/web/mail/mail_spamfilter_edit.php index 6282a38b0ff85596a30322381133af5f9a8772ca..c47ec8b41a72072a94a670cd8702e1b051f735d3 100644 --- a/interface/web/mail/mail_spamfilter_edit.php +++ b/interface/web/mail/mail_spamfilter_edit.php @@ -67,7 +67,7 @@ class page_action extends tform_actions { $domain_select = ''; foreach( $domains as $domain) { $selected = ($domain["domain"] == $email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } $app->tpl->setVar("email_domain", $domain_select); diff --git a/interface/web/mail/mail_transport_edit.php b/interface/web/mail/mail_transport_edit.php index 9707d2fce018433c4e8c0c84a61ba9649548d06a..65667726ad39ff8d6c0d5d5d8b18adc51b6ef705 100644 --- a/interface/web/mail/mail_transport_edit.php +++ b/interface/web/mail/mail_transport_edit.php @@ -70,6 +70,7 @@ class page_action extends tform_actions { function onShowEnd() { global $app, $conf; + $rec = array(); $types = array('smtp' => 'smtp', 'uucp' => 'uucp', 'slow' => 'slow', 'error' => 'error', 'custom' => 'custom', '' => 'null'); $tmp_parts = explode(":", $this->dataRecord["transport"]); if(!empty($this->id) && !stristr($this->dataRecord["transport"], ':')) { @@ -106,7 +107,7 @@ class page_action extends tform_actions { } } $rec["type"] = $type_select; - $app->tpl->setVar($rec); + $app->tpl->setVar($rec, null, true); unset($type); unset($types); diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php index 87d3be66bbf2f4a21b0dbf12d7de76f5ab3cf34d..6cf9b34e3649b6b352d7b05fa65fcb5ceda0a58e 100644 --- a/interface/web/mail/mail_user_edit.php +++ b/interface/web/mail/mail_user_edit.php @@ -84,7 +84,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("email_domain", $domain_select); @@ -100,7 +100,7 @@ class page_action extends tform_actions { if(is_array($policys)) { foreach( $policys as $p) { $selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':''; - $policy_select .= "\r\n"; + $policy_select .= "\r\n"; } } $app->tpl->setVar("policy", $policy_select); @@ -121,7 +121,7 @@ class page_action extends tform_actions { if($this->dataRecord['autoresponder_subject'] == '') { $app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject')); } else { - $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']); + $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true); } $app->uses('getconf'); diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php index 39132011148a73989d67a73cc7057e234f65bb2d..a89d27c4524a76332f22bbdf0f996ddc870e318f 100644 --- a/interface/web/mail/xmpp_domain_edit.php +++ b/interface/web/mail/xmpp_domain_edit.php @@ -165,7 +165,7 @@ class page_action extends tform_actions { $options_xmpp_servers = ""; foreach ($xmpp_servers as $xmpp_server) { - $options_xmpp_servers .= ""; + $options_xmpp_servers .= ""; } $app->tpl->setVar("client_server_id", $options_xmpp_servers); @@ -190,7 +190,7 @@ class page_action extends tform_actions { if ($domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { @@ -211,7 +211,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/mail/xmpp_user_edit.php b/interface/web/mail/xmpp_user_edit.php index 16d440a9f1a5419a968765eb602d077b43b3504e..188de01ae240d7f3331509e581c82df5df0b1494 100644 --- a/interface/web/mail/xmpp_user_edit.php +++ b/interface/web/mail/xmpp_user_edit.php @@ -83,7 +83,7 @@ class page_action extends tform_actions { foreach( $domains as $domain) { $domain['domain'] = $app->functions->idn_decode($domain['domain']); $selected = ($domain["domain"] == @$jid_parts[1])?'SELECTED':''; - $domain_select .= "\r\n"; + $domain_select .= "\r\n"; } } $app->tpl->setVar("jid_domain", $domain_select); diff --git a/interface/web/mailuser/mail_user_autoresponder_edit.php b/interface/web/mailuser/mail_user_autoresponder_edit.php index 8007c0fd814ee934db7d7b08f43d18321fcffc41..d93151bf24094f72829e2da89dcfb5321b6ee413 100644 --- a/interface/web/mailuser/mail_user_autoresponder_edit.php +++ b/interface/web/mailuser/mail_user_autoresponder_edit.php @@ -84,7 +84,7 @@ class page_action extends tform_actions { if($this->dataRecord['autoresponder_subject'] == '') { $app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject')); } else { - $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']); + $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true); } parent::onShowEnd(); diff --git a/interface/web/mailuser/mail_user_cc_edit.php b/interface/web/mailuser/mail_user_cc_edit.php index 39e5bdf6f95b01fdf1d865aca92b70138ac5186e..778be781ece87a4d7ee5f35bc715c96aafb2cc01 100644 --- a/interface/web/mailuser/mail_user_cc_edit.php +++ b/interface/web/mailuser/mail_user_cc_edit.php @@ -75,7 +75,7 @@ class page_action extends tform_actions { global $app, $conf; $rec = $app->tform->getDataRecord($this->id); - $app->tpl->setVar("email", $rec['email']); + $app->tpl->setVar("email", $rec['email'], true); parent::onShowEnd(); } diff --git a/interface/web/mailuser/mail_user_password_edit.php b/interface/web/mailuser/mail_user_password_edit.php index 07a19259ea0d045e4d3d65ac939d32453dfb6b2f..5c5706177a6b2d0fa41b7a9edd386546764ed688 100644 --- a/interface/web/mailuser/mail_user_password_edit.php +++ b/interface/web/mailuser/mail_user_password_edit.php @@ -63,7 +63,7 @@ class page_action extends tform_actions { global $app, $conf; $rec = $app->tform->getDataRecord($_SESSION['s']['user']['mailuser_id']); - $app->tpl->setVar("email", $rec['email']); + $app->tpl->setVar("email", $rec['email'], true); parent::onShowEnd(); } diff --git a/interface/web/mailuser/mail_user_spamfilter_edit.php b/interface/web/mailuser/mail_user_spamfilter_edit.php index 9d3735672184d0d3c3596c0e7eb19fc59a6a27f8..abbea219376204ce922762129849da67122a4738 100644 --- a/interface/web/mailuser/mail_user_spamfilter_edit.php +++ b/interface/web/mailuser/mail_user_spamfilter_edit.php @@ -112,7 +112,7 @@ class page_action extends tform_actions { global $app, $conf; $rec = $app->tform->getDataRecord($this->id); - $app->tpl->setVar("email", $rec['email']); + $app->tpl->setVar("email", $rec['email'], true); // Get the spamfilter policys for the user $tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = ?", $rec['email']); @@ -122,7 +122,7 @@ class page_action extends tform_actions { if(is_array($policys)) { foreach( $policys as $p) { $selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':''; - $policy_select .= "\r\n"; + $policy_select .= "\r\n"; } } $app->tpl->setVar("policy", $policy_select); diff --git a/interface/web/sites/cron_edit.php b/interface/web/sites/cron_edit.php index a8326493cad61e5537b3ed134fab4a737c3d8cdd..62f338f33f30f6e60502cd9e02398fb2f7e961e8 100644 --- a/interface/web/sites/cron_edit.php +++ b/interface/web/sites/cron_edit.php @@ -73,7 +73,7 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]); + $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php index 213063ae89bdb70c495e630a345caa52e73987cc..71e5acaf27c120d8d332485e494de8af8fd1689a 100644 --- a/interface/web/sites/database_edit.php +++ b/interface/web/sites/database_edit.php @@ -89,7 +89,7 @@ class page_action extends tform_actions { } foreach ($tmp as $db_server) { - $options_db_servers .= ''; + $options_db_servers .= ''; } $app->tpl->setVar("server_id", $options_db_servers); @@ -112,7 +112,7 @@ class page_action extends tform_actions { } foreach ($tmp as $db_server) { - $options_db_servers .= ''; + $options_db_servers .= ''; } $app->tpl->setVar("server_id", $options_db_servers); @@ -143,22 +143,22 @@ class page_action extends tform_actions { if ($this->dataRecord['database_name'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix)); + $app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix), true); } if($this->dataRecord['database_name'] == "") { - $app->tpl->setVar("database_name_prefix", $dbname_prefix); + $app->tpl->setVar("database_name_prefix", $dbname_prefix, true); } else { - $app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix'])); + $app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']), true); } if($this->id > 0) { //* we are editing a existing record $edit_disabled = @($_SESSION["s"]["user"]["typ"] == 'admin')? 0 : 1; //* admin can change the database-name $app->tpl->setVar("edit_disabled", $edit_disabled); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); - $app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"]); - $app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); + $app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"], true); + $app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php index e7bfa611a937be481efde7ae8ba7a8308cbaf01c..07fa1315f062960e5f214aefdaa3eebb19f8837b 100644 --- a/interface/web/sites/database_user_edit.php +++ b/interface/web/sites/database_user_edit.php @@ -118,13 +118,13 @@ class page_action extends tform_actions { if ($this->dataRecord['database_user'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix)); + $app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix), true); } if($this->dataRecord['database_user'] == "") { - $app->tpl->setVar("database_user_prefix", $dbuser_prefix); + $app->tpl->setVar("database_user_prefix", $dbuser_prefix, true); } else { - $app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix'])); + $app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']), true); } parent::onShowEnd(); diff --git a/interface/web/sites/form/web_childdomain.tform.php b/interface/web/sites/form/web_childdomain.tform.php index 02480db42879a97058306114b8771f7cdd0ff9b2..6cfaa38c2a5188f1441d8f3db59d44bea4a1f3be 100644 --- a/interface/web/sites/form/web_childdomain.tform.php +++ b/interface/web/sites/form/web_childdomain.tform.php @@ -125,7 +125,7 @@ $form["tabs"]['domain'] = array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXT', 'validators' => array ( 0 => array ( 'type' => 'REGEX', - 'regex' => '@^(([\.]{0})|((ftp|https?)://([-\w\.]+)+(:\d+)?(/([\w/_\.\-\,\+\?\~!:%]*(\?\S+)?)?)?)|(\[scheme\]://([-\w\.]+)+(:\d+)?(/([\w/_\.\-\,\+\?\~!:%]*(\?\S+)?)?)?)|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@', + 'regex' => '@^(([\.]{0})|((ftp|https?|\[scheme\])://([-\w\.]+)+(:\d+)?(/([\w/_\.\,\-\+\?\~!:%]*(\?\S+)?)?)?)(?:#\S*)?|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@', 'errmsg'=> 'redirect_error_regex'), ), 'default' => '', diff --git a/interface/web/sites/form/web_vhost_domain.tform.php b/interface/web/sites/form/web_vhost_domain.tform.php index 98b006eacfa74aedd5ab328fc287a98954dbbdfe..11132f5469d5c5ebabb2e1e81b95e1de2bb780b0 100644 --- a/interface/web/sites/form/web_vhost_domain.tform.php +++ b/interface/web/sites/form/web_vhost_domain.tform.php @@ -396,7 +396,7 @@ $form["tabs"]['redirect'] = array ( 'redirect_path' => array ( 'datatype' => 'VARCHAR', 'validators' => array ( 0 => array ( 'type' => 'REGEX', - 'regex' => '@^(([\.]{0})|((ftp|https?)://([-\w\.]+)+(:\d+)?(/([\w/_\.\,\-\+\?\~!:%]*(\?\S+)?)?)?)|(\[scheme\]://([-\w\.]+)+(:\d+)?(/([\w/_\.\-\,\+\?\~!:%]*(\?\S+)?)?)?)|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@', + 'regex' => '@^(([\.]{0})|((ftp|https?|\[scheme\])://([-\w\.]+)+(:\d+)?(/([\w/_\.\,\-\+\?\~!:%]*(\?\S+)?)?)?)(?:#\S*)?|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@', 'errmsg'=> 'redirect_error_regex'), ), 'formtype' => 'TEXT', diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php index 9de400ce0392fcff585fe6450621d8c15b6d3d14..7fab1e2273e850d9e59fcb7c48bbd0d4186e1f7a 100644 --- a/interface/web/sites/ftp_user_edit.php +++ b/interface/web/sites/ftp_user_edit.php @@ -79,13 +79,13 @@ class page_action extends tform_actions { if ($this->dataRecord['username'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix)); + $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix), true); } if($this->dataRecord['username'] == "") { - $app->tpl->setVar("username_prefix", $ftpuser_prefix); + $app->tpl->setVar("username_prefix", $ftpuser_prefix, true); } else { - $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix'])); + $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']), true); } parent::onShowEnd(); diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php index 77c4509b44e7e2c56c5ca72d80e16d3d30b2198e..7f74d893fc54cef87bdbdd423ea7ba6be267a89f 100644 --- a/interface/web/sites/shell_user_edit.php +++ b/interface/web/sites/shell_user_edit.php @@ -79,19 +79,19 @@ class page_action extends tform_actions { if ($this->dataRecord['username'] != ""){ /* REMOVE the restriction */ - $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix)); + $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix), true); } if($this->dataRecord['username'] == "") { - $app->tpl->setVar("username_prefix", $shelluser_prefix); + $app->tpl->setVar("username_prefix", $shelluser_prefix, true); } else { - $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix'])); + $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']), true); } if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]); + $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/sites/web_childdomain_edit.php b/interface/web/sites/web_childdomain_edit.php index 6ef98f901fb864083d41b9feb64bd102edab4f67..2da58a4661c4342dfe92402dc6c23aace687ae91 100644 --- a/interface/web/sites/web_childdomain_edit.php +++ b/interface/web/sites/web_childdomain_edit.php @@ -87,7 +87,7 @@ class page_action extends tform_actions { } } - $app->tpl->setVar('childdomain_type', $this->_childdomain_type); + $app->tpl->setVar('childdomain_type', $this->_childdomain_type, true); parent::onShowNew(); } @@ -118,7 +118,7 @@ class page_action extends tform_actions { } elseif($this->_childdomain_type == 'aliasdomain' && $domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { @@ -144,7 +144,7 @@ class page_action extends tform_actions { $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]); } } - if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"]); + if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true); $client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]); if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) { @@ -159,7 +159,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt = ''; if(is_array($proxy_directive_snippets) && !empty($proxy_directive_snippets)){ foreach($proxy_directive_snippets as $proxy_directive_snippet){ - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].'] '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).'] '; } } if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------'; @@ -167,7 +167,7 @@ class page_action extends tform_actions { $app->tpl->setVar('limit_ssl_letsencrypt', 'y'); } - $app->tpl->setVar('childdomain_type', $this->_childdomain_type); + $app->tpl->setVar('childdomain_type', $this->_childdomain_type, true); parent::onShowEnd(); diff --git a/interface/web/sites/web_childdomain_list.php b/interface/web/sites/web_childdomain_list.php index a4e953c07e99115de6a14da7952e14d8e42fed66..f445c4b50bf826e2c72a327488e423ad0fc69f48 100644 --- a/interface/web/sites/web_childdomain_list.php +++ b/interface/web/sites/web_childdomain_list.php @@ -56,7 +56,7 @@ $_SESSION['s']['var']['childdomain_type'] = $show_type; class list_action extends listform_actions { function onShow() { global $app; - $app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type']); + $app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type'], true); parent::onShow(); } diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php index 023f8db0c52938f467b5c3eb5c8ba6d61e9420c5..52771819c34c2f275e1ce69b689bcf1bd8a4aeb4 100644 --- a/interface/web/sites/web_vhost_domain_edit.php +++ b/interface/web/sites/web_vhost_domain_edit.php @@ -115,7 +115,7 @@ class page_action extends tform_actions { $client = $app->db->queryOneRecord("SELECT client.web_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id); $web_servers = explode(',', $client['web_servers']); $server_id = $web_servers[0]; - $app->tpl->setVar("server_id_value", $server_id); + $app->tpl->setVar("server_id_value", $server_id, true); unset($web_servers); } else { $settings = $app->getconf->get_global_config('sites'); @@ -130,7 +130,7 @@ class page_action extends tform_actions { $app->tform->formDef['tabs']['domain']['fields']['php']['default'] = $web_config['php_handler']; $app->tform->formDef['tabs']['domain']['readonly'] = false; - $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type); + $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type, true); parent::onShowNew(); } @@ -179,7 +179,7 @@ class page_action extends tform_actions { $options_web_servers = ""; foreach ($web_servers as $web_server) { - $options_web_servers .= ''; + $options_web_servers .= ''; } $app->tpl->setVar("server_id", $options_web_servers); @@ -214,7 +214,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -230,7 +230,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ipv6_address", $ip_select); @@ -266,7 +266,7 @@ class page_action extends tform_actions { $php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir']; } $selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':''; - $php_select .= "\r\n"; + $php_select .= "\r\n"; } } $app->tpl->setVar("fastcgi_php_version", $php_select); @@ -306,7 +306,7 @@ class page_action extends tform_actions { $options_web_servers = ""; foreach ($web_servers as $web_server) { - $options_web_servers .= ''; + $options_web_servers .= ''; } $app->tpl->setVar("server_id", $options_web_servers); @@ -361,7 +361,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -376,7 +376,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ipv6_address", $ip_select); @@ -413,7 +413,7 @@ class page_action extends tform_actions { $php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir']; } $selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':''; - $php_select .= "\r\n"; + $php_select .= "\r\n"; } } $app->tpl->setVar("fastcgi_php_version", $php_select); @@ -441,7 +441,7 @@ class page_action extends tform_actions { $php_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($php_directive_snippets as $php_directive_snippet){ $php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL; - $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']     '; + $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']     '; } } if($php_directive_snippets_txt == '') $php_directive_snippets_txt = '------'; @@ -464,7 +464,7 @@ class page_action extends tform_actions { $apache_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($apache_directive_snippets as $apache_directive_snippet){ $apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL; - $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']     '; + $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']     '; } } if($apache_directive_snippets_txt == '') $apache_directive_snippets_txt = '------'; @@ -478,7 +478,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
    '; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } $nginx_directive_snippets_txt .= '

    '; } @@ -488,7 +488,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } } if($nginx_directive_snippets_txt == '') $nginx_directive_snippets_txt = '------'; @@ -501,7 +501,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
    '; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } $proxy_directive_snippets_txt .= '

    '; } @@ -511,7 +511,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } } if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------'; @@ -557,7 +557,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -572,7 +572,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ipv6_address", $ip_select); @@ -633,7 +633,7 @@ class page_action extends tform_actions { $php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir']; } $selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':''; - $php_select .= "\r\n"; + $php_select .= "\r\n"; } } $app->tpl->setVar("fastcgi_php_version", $php_select); @@ -648,7 +648,7 @@ class page_action extends tform_actions { $php_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
    '; foreach($php_directive_snippets as $php_directive_snippet){ $php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL; - $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']     '; + $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']     '; } $php_directive_snippets_txt .= '

    '; } @@ -658,7 +658,7 @@ class page_action extends tform_actions { $php_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($php_directive_snippets as $php_directive_snippet){ $php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL; - $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']     '; + $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']     '; } } if($php_directive_snippets_txt == '') $php_directive_snippets_txt = '------'; @@ -671,7 +671,7 @@ class page_action extends tform_actions { $apache_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
    '; foreach($apache_directive_snippets as $apache_directive_snippet){ $apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL; - $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']     '; + $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']     '; } $apache_directive_snippets_txt .= '

    '; } @@ -681,7 +681,7 @@ class page_action extends tform_actions { $apache_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($apache_directive_snippets as $apache_directive_snippet){ $apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL; - $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']     '; + $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']     '; } } if($apache_directive_snippets_txt == '') $apache_directive_snippets_txt = '------'; @@ -695,7 +695,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
    '; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } $nginx_directive_snippets_txt .= '

    '; } @@ -705,7 +705,7 @@ class page_action extends tform_actions { $nginx_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($nginx_directive_snippets as $nginx_directive_snippet){ $nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL; - $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']     '; + $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']     '; } } if($nginx_directive_snippets_txt == '') $nginx_directive_snippets_txt = '------'; @@ -718,7 +718,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
    '; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } $proxy_directive_snippets_txt .= '

    '; } @@ -728,7 +728,7 @@ class page_action extends tform_actions { $proxy_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
    '; foreach($proxy_directive_snippets as $proxy_directive_snippet){ $proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL; - $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']     '; + $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']     '; } } if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------'; @@ -748,7 +748,7 @@ class page_action extends tform_actions { if(is_array($ssl_domains)) { foreach( $ssl_domains as $ssl_domain) { $selected = ($ssl_domain == $this->dataRecord['ssl_domain'])?'SELECTED':''; - $ssl_domain_select .= "\r\n"; + $ssl_domain_select .= "\r\n"; } } $app->tpl->setVar("ssl_domain", $ssl_domain_select); @@ -761,8 +761,8 @@ class page_action extends tform_actions { $app->tpl->setVar("edit_disabled", 1); $app->tpl->setVar('fixed_folder', 'y'); if($this->_vhostdomain_type == 'domain') { - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); - $app->tpl->setVar("document_root", $this->dataRecord["document_root"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); + $app->tpl->setVar("document_root", $this->dataRecord["document_root"], true); } else $app->tpl->setVar('server_id_value', $parent_domain['server_id']); } else { @@ -798,7 +798,7 @@ class page_action extends tform_actions { } elseif($this->_vhostdomain_type == 'domain' && $domain['domain'] == $this->dataRecord["domain"]) { $domain_select .= " selected"; } - $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n"; + $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n"; } } else { @@ -820,20 +820,20 @@ class page_action extends tform_actions { if($this->dataRecord["type"] == 'vhostsubdomain') $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]); } - if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"]); + if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true); // check for configuration errors in sys_datalog if($this->id > 0) { $datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'web_domain' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'domain_id:' . $this->id); if(is_array($datalog) && !empty($datalog)){ if(trim($datalog['error']) != ''){ - $app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error']))); + $app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error']))); $app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp'])); } } } - $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type); + $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type, true); $app->tpl->setVar('is_spdy_enabled', ($web_config['enable_spdy'] === 'y')); $app->tpl->setVar("is_admin", $is_admin); @@ -859,7 +859,7 @@ class page_action extends tform_actions { if(is_array($m_directive_snippets) && !empty($m_directive_snippets)){ $directive_snippets_id_select .= ''; foreach($m_directive_snippets as $m_directive_snippet){ - $directive_snippets_id_select .= ''; + $directive_snippets_id_select .= ''; } $directive_snippets_id_select .= ''; } @@ -868,7 +868,7 @@ class page_action extends tform_actions { if(is_array($directive_snippets) && !empty($directive_snippets)){ $directive_snippets_id_select .= ''; foreach($directive_snippets as $directive_snippet){ - $directive_snippets_id_select .= ''; + $directive_snippets_id_select .= ''; } $directive_snippets_id_select .= ''; } diff --git a/interface/web/sites/web_vhost_domain_list.php b/interface/web/sites/web_vhost_domain_list.php index 378eeaaf6a2bfa3acaf44e4325ba428162082a86..b74fd644f70bd42fadb6fcec7b38389e9c83d777 100644 --- a/interface/web/sites/web_vhost_domain_list.php +++ b/interface/web/sites/web_vhost_domain_list.php @@ -68,7 +68,7 @@ $_SESSION['s']['var']['vhostdomain_type'] = $show_type; class list_action extends listform_actions { function onShow() { global $app; - $app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type']); + $app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type'], true); parent::onShow(); } diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php index 73e47eb7a98d5ef6e847614384eb9df1d11aea38..e02e0bdaff10e56bb3ac4a41d615a4b53b6ce79b 100644 --- a/interface/web/sites/webdav_user_edit.php +++ b/interface/web/sites/webdav_user_edit.php @@ -78,19 +78,19 @@ class page_action extends tform_actions { if ($this->dataRecord['username'] != "") { /* REMOVE the restriction */ - $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix)); + $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix), true); } if($this->dataRecord['username'] == "") { - $app->tpl->setVar("username_prefix", $webdavuser_prefix); + $app->tpl->setVar("username_prefix", $webdavuser_prefix, true); } else { - $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix'])); + $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']), true); } if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]); + $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/interface/web/tools/dns_import_tupa.php b/interface/web/tools/dns_import_tupa.php index 849a097680f74a6f7bd68584340f3fc4c76fa1f0..12bd03529673c39a8b5d9979e2f4cf4bc6a84111 100644 --- a/interface/web/tools/dns_import_tupa.php +++ b/interface/web/tools/dns_import_tupa.php @@ -50,10 +50,10 @@ if(isset($_POST['start']) && $_POST['start'] == 1) { $app->auth->csrf_token_check(); //* Set variable sin template - $app->tpl->setVar('dbhost', $_POST['dbhost']); - $app->tpl->setVar('dbname', $_POST['dbname']); - $app->tpl->setVar('dbuser', $_POST['dbuser']); - $app->tpl->setVar('dbpassword', $_POST['dbpassword']); + $app->tpl->setVar('dbhost', $_POST['dbhost'], true); + $app->tpl->setVar('dbname', $_POST['dbname'], true); + $app->tpl->setVar('dbuser', $_POST['dbuser'], true); + $app->tpl->setVar('dbpassword', $_POST['dbpassword'], true); //* Establish connection to external database $msg .= 'Connecting to external database...
    '; diff --git a/interface/web/tools/import_ispconfig.php b/interface/web/tools/import_ispconfig.php index c43b15b7eb0ef286ff5d66ab8220f1e1d91bb2c1..0e7763dd98d15a79f660e0ade9f03b89f3a4b9bf 100644 --- a/interface/web/tools/import_ispconfig.php +++ b/interface/web/tools/import_ispconfig.php @@ -142,9 +142,9 @@ if(isset($_POST['connected'])) { } -$app->tpl->setVar('remote_server', $_POST['remote_server']); -$app->tpl->setVar('remote_user', $_POST['remote_user']); -$app->tpl->setVar('remote_password', $_POST['remote_password']); +$app->tpl->setVar('remote_server', $_POST['remote_server'], true); +$app->tpl->setVar('remote_user', $_POST['remote_user'], true); +$app->tpl->setVar('remote_password', $_POST['remote_password'], true); $app->tpl->setVar('connected', $connected); $app->tpl->setVar('remote_session_id', $remote_session_id); $app->tpl->setVar('msg', $msg); diff --git a/interface/web/tools/import_vpopmail.php b/interface/web/tools/import_vpopmail.php index 9e560cdf30455be6c9e3459aec98334cfa3a7a54..3ef87710e593cb37c6980e5cfa4e16c54052dc3d 100644 --- a/interface/web/tools/import_vpopmail.php +++ b/interface/web/tools/import_vpopmail.php @@ -84,11 +84,11 @@ if(isset($_POST['db_hostname']) && $_POST['db_hostname'] != '') { $_POST['local_server_id'] = 1; } -$app->tpl->setVar('db_hostname', $_POST['db_hostname']); -$app->tpl->setVar('db_user', $_POST['db_user']); -$app->tpl->setVar('db_password', $_POST['db_password']); -$app->tpl->setVar('db_name', $_POST['db_name']); -$app->tpl->setVar('local_server_id', $_POST['local_server_id']); +$app->tpl->setVar('db_hostname', $_POST['db_hostname'], true); +$app->tpl->setVar('db_user', $_POST['db_user'], true); +$app->tpl->setVar('db_password', $_POST['db_password'], true); +$app->tpl->setVar('db_name', $_POST['db_name'], true); +$app->tpl->setVar('local_server_id', $_POST['local_server_id'], true); $app->tpl->setVar('msg', $msg); $app->tpl->setVar('error', $error); diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php index 2a5b12f3d712886143a05b65acdfbed536afcad1..4dd1a551deff4e8cb40c7f2cb23200acbc93627e 100644 --- a/interface/web/vm/openvz_vm_edit.php +++ b/interface/web/vm/openvz_vm_edit.php @@ -86,7 +86,7 @@ class page_action extends tform_actions { if(is_array($records)) { foreach( $records as $rec) { $selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':''; - $template_id_select .= "\r\n"; + $template_id_select .= "\r\n"; } } $app->tpl->setVar("template_id_select", $template_id_select); @@ -109,7 +109,7 @@ class page_action extends tform_actions { if(is_array($records)) { foreach( $records as $rec) { $selected = @(is_array($this->dataRecord) && ($client["groupid"] == $this->dataRecord['client_group_id'] || $client["groupid"] == $this->dataRecord['sys_groupid']))?'SELECTED':''; - $client_select .= "\r\n"; + $client_select .= "\r\n"; } } $app->tpl->setVar("client_group_id", $client_select); @@ -124,7 +124,7 @@ class page_action extends tform_actions { if(is_array($records)) { foreach( $records as $rec) { $selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':''; - $template_id_select .= "\r\n"; + $template_id_select .= "\r\n"; } } $app->tpl->setVar("template_id_select", $template_id_select); @@ -141,7 +141,7 @@ class page_action extends tform_actions { if(is_array($clients)) { foreach( $clients as $client) { $selected = @(is_array($this->dataRecord) && ($client["groupid"] == $this->dataRecord['client_group_id'] || $client["groupid"] == $this->dataRecord['sys_groupid']))?'SELECTED':''; - $client_select .= "\r\n"; + $client_select .= "\r\n"; } } $app->tpl->setVar("client_group_id", $client_select); @@ -153,7 +153,7 @@ class page_action extends tform_actions { $template_id_select=''; foreach( $records as $rec) { $selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':''; - $template_id_select .= "\r\n"; + $template_id_select .= "\r\n"; } } $app->tpl->setVar("template_id_select", $template_id_select); @@ -175,7 +175,7 @@ class page_action extends tform_actions { if(is_array($ips)) { foreach( $ips as $ip) { $selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':''; - $ip_select .= "\r\n"; + $ip_select .= "\r\n"; } } $app->tpl->setVar("ip_address", $ip_select); @@ -188,7 +188,7 @@ class page_action extends tform_actions { foreach ($additional_ips as $idx => $rec) { $temp .= ""; $used = @($rec['additional']=='y')?'CHECKED':''; - $temp .= " ".$rec['ip_address']."
    "; + $temp .= " ".$app->functions->htmlentities($rec['ip_address'])."
    "; } $app->tpl->setVar("additional_ip", $temp); unset($used); @@ -198,8 +198,8 @@ class page_action extends tform_actions { if($this->id > 0) { //* we are editing a existing record $app->tpl->setVar("edit_disabled", 1); - $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]); - $app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"]); + $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true); + $app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"], true); } else { $app->tpl->setVar("edit_disabled", 0); } diff --git a/security/security_settings.ini b/security/security_settings.ini index eb78e24d53d5ef1cce7d3d4176843bfcfafc66fd..d7b65ba48ec23aac32b1d6296f66962ea3ae662e 100644 --- a/security/security_settings.ini +++ b/security/security_settings.ini @@ -19,10 +19,18 @@ password_reset_allowed=yes session_regenerate_id=yes [ids] -ids_enabled=no -ids_log_level=1 -ids_warn_level=5 -ids_block_level=100 +ids_anon_enabled=yes +ids_anon_log_level=1 +ids_anon_warn_level=5 +ids_anon_block_level=20 +ids_user_enabled=yes +ids_user_log_level=1 +ids_user_warn_level=10 +ids_user_block_level=25 +ids_admin_enabled=no +ids_admin_log_level=1 +ids_admin_warn_level=5 +ids_admin_block_level=100 sql_scan_enabled=yes sql_scan_action=warn apache_directives_scan_enabled=yes diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master index 063b5c7e3390666fb569578f97ec5448e9b38b35..6a026d447a6862984e56b8471eb32d09a8d2ae65 100644 --- a/server/conf/vhost.conf.master +++ b/server/conf/vhost.conf.master @@ -182,6 +182,13 @@ + + + SetHandler mod_python + + PythonHandler mod_python.publisher + PythonDebug On + SetHandler mod_python diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php index 1a802bcf96dd8078f62c7df8032dd5dc49e3da90..37b903daf06dbc58ff1438014ad52f141b6fe764 100644 --- a/server/plugins-available/apache2_plugin.inc.php +++ b/server/plugins-available/apache2_plugin.inc.php @@ -457,11 +457,11 @@ class apache2_plugin { $app->system->unlink($crt_file); $app->system->unlink($bundle_file); /* Update the DB of the (local) Server */ - $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']); - $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']); + $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); + $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); /* Update also the master-DB of the Server-Farm */ - $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']); - $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']); + $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); + $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); $app->log('Deleting SSL Cert for: '.$domain, LOGLEVEL_DEBUG); } @@ -681,10 +681,10 @@ class apache2_plugin { $fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind'; if($web_config['network_filesystem'] == 'y') { - $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait,_netdev 0 0'; + $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail,_netdev 0 0'; $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1); } else { - $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait 0 0'; + $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail 0 0'; $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1); } diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php index daf953e2650063799c2f52e6642ab9c90183c06e..8335ce2e3f6e26c75bdbf72d4f725666c30959b9 100644 --- a/server/plugins-available/nginx_plugin.inc.php +++ b/server/plugins-available/nginx_plugin.inc.php @@ -289,11 +289,11 @@ class nginx_plugin { $app->system->unlink($csr_file); $app->system->unlink($crt_file); /* Update the DB of the (local) Server */ - $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']); - $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']); + $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); + $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); /* Update also the master-DB of the Server-Farm */ - $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']); - $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']); + $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); + $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']); $app->log('Deleting SSL Cert for: '.$domain, LOGLEVEL_DEBUG); } @@ -528,10 +528,10 @@ class nginx_plugin { $fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind'; if($web_config['network_filesystem'] == 'y') { - $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait,_netdev 0 0'; + $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail,_netdev 0 0'; $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1); } else { - $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait 0 0'; + $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail 0 0'; $app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1); } diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php index 74c6fa364f77611c77096ef7b53570690e1c00c1..9c4568901deef3e73b8051929ca94247070e6fd2 100755 --- a/server/plugins-available/shelluser_base_plugin.inc.php +++ b/server/plugins-available/shelluser_base_plugin.inc.php @@ -226,6 +226,9 @@ class shelluser_base_plugin { $homedir_old = $data['old']['dir'].'/home/'.$data['old']['username']; } + $app->log("Homedir New: ".$homedir, LOGLEVEL_DEBUG); + $app->log("Homedir Old: ".$homedir_old, LOGLEVEL_DEBUG); + // Check if the user that we want to update exists, if not, we insert it if($app->system->is_user($data['old']['username'])) { //* Remove webfolder protection @@ -246,16 +249,27 @@ class shelluser_base_plugin { $app->log("Executed command: $command ",LOGLEVEL_DEBUG); */ //$groupinfo = $app->system->posix_getgrnam($data['new']['pgroup']); - if($homedir != $homedir_old && !is_dir($homedir)){ + if($homedir != $homedir_old){ $app->system->web_folder_protection($web['document_root'], false); - if(!is_dir($data['new']['dir'].'/home')){ + // Rename dir, in case the new directory exists already. + if(is_dir($homedir)) { + $app->log("New Homedir exists, renaming it to ".$homedir.'_bak', LOGLEVEL_DEBUG); + $app->system->rename(escapeshellcmd($homedir),escapeshellcmd($homedir.'_bak')); + } + /*if(!is_dir($data['new']['dir'].'/home')){ $app->file->mkdirs(escapeshellcmd($data['new']['dir'].'/home'), '0750'); $app->system->chown(escapeshellcmd($data['new']['dir'].'/home'),escapeshellcmd($data['new']['puser'])); $app->system->chgrp(escapeshellcmd($data['new']['dir'].'/home'),escapeshellcmd($data['new']['pgroup'])); } $app->file->mkdirs(escapeshellcmd($homedir), '0755'); $app->system->chown(escapeshellcmd($homedir),'root'); - $app->system->chgrp(escapeshellcmd($homedir),'root'); + $app->system->chgrp(escapeshellcmd($homedir),'root');*/ + + // Move old directory to new path + $app->system->rename(escapeshellcmd($homedir_old),escapeshellcmd($homedir)); + $app->file->mkdirs(escapeshellcmd($homedir), '0750'); + $app->system->chown(escapeshellcmd($homedir),escapeshellcmd($data['new']['puser'])); + $app->system->chgrp(escapeshellcmd($homedir),escapeshellcmd($data['new']['pgroup'])); $app->system->web_folder_protection($web['document_root'], true); } else { if(!is_dir($homedir)){ diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php index 69a041c037e4c2f96907ae2bd58b3ff8c09ee287..295112d4230e1f77ad55b862b78f5bba577d6506 100755 --- a/server/plugins-available/shelluser_jailkit_plugin.inc.php +++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php @@ -350,6 +350,11 @@ class shelluser_jailkit_plugin { //add the user to the chroot $jailkit_chroot_userhome = $this->_get_home_dir($this->data['new']['username']); + if(isset($this->data['old']['username'])) { + $jailkit_chroot_userhome_old = $this->_get_home_dir($this->data['old']['username']); + } else { + $jailkit_chroot_userhome_old = ''; + } $jailkit_chroot_puserhome = $this->_get_home_dir($this->data['new']['puser']); if(!is_dir($this->data['new']['dir'].'/etc')) mkdir($this->data['new']['dir'].'/etc', 0755); @@ -398,13 +403,19 @@ class shelluser_jailkit_plugin { $this->app->log("Added jailkit user to chroot with command: ".$command, LOGLEVEL_DEBUG); - if(!is_dir($this->data['new']['dir'].$jailkit_chroot_userhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), 0755, true); + if(!is_dir($this->data['new']['dir'].$jailkit_chroot_userhome)) { + if(is_dir($this->data['old']['dir'].$jailkit_chroot_userhome_old)) { + $app->system->rename(escapeshellcmd($this->data['old']['dir'].$jailkit_chroot_userhome_old),escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome)); + } else { + mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), 0750, true); + } + } $app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['username']); $app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['pgroup']); $this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG); - if(!is_dir($this->data['new']['dir'].$jailkit_chroot_puserhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), 0755, true); + if(!is_dir($this->data['new']['dir'].$jailkit_chroot_puserhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), 0750, true); $app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['puser']); $app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['pgroup']);