diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php
index edbba27c7c2ea6cfaafd82333e74dbf5bc94848d..1cc96e9c2e28a5399040b6c2c2c5b450e5c96a41 100755
--- a/interface/lib/app.inc.php
+++ b/interface/lib/app.inc.php
@@ -298,14 +298,14 @@ class app {
$this->tpl->setVar('phpsessid', session_id());
- $this->tpl->setVar('theme', $_SESSION['s']['theme']);
+ $this->tpl->setVar('theme', $_SESSION['s']['theme'], true);
$this->tpl->setVar('html_content_encoding', $this->_conf['html_content_encoding']);
$this->tpl->setVar('delete_confirmation', $this->lng('delete_confirmation'));
//print_r($_SESSION);
if(isset($_SESSION['s']['module']['name'])) {
- $this->tpl->setVar('app_module', $_SESSION['s']['module']['name']);
- $this->tpl->setVar('session_module', $_SESSION['s']['module']['name']);
+ $this->tpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
+ $this->tpl->setVar('session_module', $_SESSION['s']['module']['name'], true);
}
if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
$this->tpl->setVar('is_admin', 1);
@@ -315,7 +315,7 @@ class app {
}
/* Show username */
if(isset($_SESSION['s']['user'])) {
- $this->tpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+ $this->tpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
$this->tpl->setVar('logout_txt', $this->lng('logout_txt'));
/* Show search field only for normal users, not mail users */
if(stristr($_SESSION['s']['user']['username'], '@')){
@@ -342,7 +342,7 @@ $app = new app();
// load and enable PHP Intrusion Detection System (PHPIDS)
$ids_security_config = $app->getconf->get_security_config('ids');
-if(is_dir(ISPC_CLASS_PATH.'/IDS') && $ids_security_config['ids_enabled'] == 'yes') {
+if(is_dir(ISPC_CLASS_PATH.'/IDS') && ($ids_security_config['ids_anon_enabled'] == 'yes' || $ids_security_config['ids_user_enabled'] == 'yes' || $ids_security_config['ids_admin_enabled'] == 'yes')) {
$app->uses('ids');
$app->ids->start();
}
diff --git a/interface/lib/classes/db_mysql.inc.php b/interface/lib/classes/db_mysql.inc.php
index e0c003abca71a5d7117dcf360ffd95801b2e289d..948d4e81ff2461fb9fb67393e21d1a383ea1fce6 100644
--- a/interface/lib/classes/db_mysql.inc.php
+++ b/interface/lib/classes/db_mysql.inc.php
@@ -472,7 +472,7 @@ class db {
public function escape($sString) {
global $app;
if(!is_string($sString) && !is_numeric($sString)) {
- $app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_INFO);
+ $app->log('NON-String given in escape function! (' . gettype($sString) . ')', LOGLEVEL_DEBUG);
//$sAddMsg = getDebugBacktrace();
$app->log($sAddMsg, LOGLEVEL_DEBUG);
$sString = '';
@@ -481,7 +481,7 @@ class db {
$cur_encoding = mb_detect_encoding($sString);
if($cur_encoding != "UTF-8") {
if($cur_encoding != 'ASCII') {
- if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_INFO);
+ if(is_object($app) && method_exists($app, 'log')) $app->log('String ' . substr($sString, 0, 25) . '... is ' . $cur_encoding . '.', LOGLEVEL_DEBUG);
if($cur_encoding) $sString = mb_convert_encoding($sString, 'UTF-8', $cur_encoding);
else $sString = mb_convert_encoding($sString, 'UTF-8');
}
diff --git a/interface/lib/classes/ids.inc.php b/interface/lib/classes/ids.inc.php
index ac5cb1912897f0eb0355715c24985092bc4d386a..abdf32b30251543045b0302158378748eba17d8b 100644
--- a/interface/lib/classes/ids.inc.php
+++ b/interface/lib/classes/ids.inc.php
@@ -118,7 +118,25 @@ class ids {
$impact = $ids_result->getImpact();
- if($impact >= $security_config['ids_log_level']) {
+ // Choose level from security config
+ if($app->auth->is_admin()) {
+ // User is admin
+ $ids_log_level = $security_config['ids_admin_log_level'];
+ $ids_warn_level = $security_config['ids_admin_warn_level'];
+ $ids_block_level = $security_config['ids_admin_block_level'];
+ } elseif(is_array($_SESSION['s']['user']) && $_SESSION['s']['user']['userid'] > 0) {
+ // User is Client or Reseller
+ $ids_log_level = $security_config['ids_user_log_level'];
+ $ids_warn_level = $security_config['ids_user_warn_level'];
+ $ids_block_level = $security_config['ids_user_block_level'];
+ } else {
+ // Not logged in
+ $ids_log_level = $security_config['ids_anon_log_level'];
+ $ids_warn_level = $security_config['ids_anon_warn_level'];
+ $ids_block_level = $security_config['ids_anon_block_level'];
+ }
+
+ if($impact >= $ids_log_level) {
$ids_log = ISPC_ROOT_PATH.'/temp/ids.log';
if(!is_file($ids_log)) touch($ids_log);
@@ -132,11 +150,11 @@ class ids {
}
- if($impact >= $security_config['ids_warn_level']) {
+ if($impact >= $ids_warn_level) {
$app->log("PHP IDS Alert.".$ids_result, 2);
}
- if($impact >= $security_config['ids_block_level']) {
+ if($impact >= $ids_block_level) {
$app->error("Possible attack detected. This action has been logged.",'', true, 2);
}
diff --git a/interface/lib/classes/plugin_listview.inc.php b/interface/lib/classes/plugin_listview.inc.php
index bc764caefe0dbb144b53d6c87826bad5edb0a637..c9d8340e02e290de97bedba9a4edb530aca6a7b4 100644
--- a/interface/lib/classes/plugin_listview.inc.php
+++ b/interface/lib/classes/plugin_listview.inc.php
@@ -56,7 +56,7 @@ class plugin_listview extends plugin_base {
// $app->listform->listDef["page_params"] = "&id=".$app->tform_actions->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
$app->listform->listDef["page_params"] = "&id=".$this->form->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
$listTpl->setVar('parent_id', $this->form->id);
- $listTpl->setVar('theme', $_SESSION['s']['theme']);
+ $listTpl->setVar('theme', $_SESSION['s']['theme'], true);
// Generate the SQL for searching
$sql_where = "";
@@ -193,13 +193,13 @@ class plugin_listview extends plugin_base {
$listTpl->setVar('phpsessid', session_id());
- $listTpl->setVar('theme', $_SESSION['s']['theme']);
+ $listTpl->setVar('theme', $_SESSION['s']['theme'], true);
$listTpl->setVar('html_content_encoding', $app->_conf['html_content_encoding']);
$listTpl->setVar('delete_confirmation', $app->lng('delete_confirmation'));
//print_r($_SESSION);
if(isset($_SESSION['s']['module']['name'])) {
- $listTpl->setVar('app_module', $_SESSION['s']['module']['name']);
+ $listTpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
}
if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
$listTpl->setVar('is_admin', 1);
@@ -209,7 +209,7 @@ class plugin_listview extends plugin_base {
}
/* Show username */
if(isset($_SESSION['s']['user'])) {
- $listTpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+ $listTpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
$listTpl->setVar('logout_txt', $app->lng('logout_txt'));
/* Show search field only for normal users, not mail users */
if(stristr($_SESSION['s']['user']['username'], '@')){
diff --git a/interface/lib/classes/tform.inc.php b/interface/lib/classes/tform.inc.php
index 503bd24eb83db64554010944519b9c79898b6bb1..b28e50322454c93df811dc94a70549d0a23931a2 100644
--- a/interface/lib/classes/tform.inc.php
+++ b/interface/lib/classes/tform.inc.php
@@ -115,11 +115,18 @@ class tform extends tform_base {
// Show the same tab again in case of an error
$active_tab = $_SESSION["s"]["form"]["tab"];
}
+
+ if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$active_tab)) {
+ die('Invalid next tab name.');
+ }
return $active_tab;
}
function getCurrentTab() {
+ if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$_SESSION["s"]["form"]["tab"])) {
+ die('Invalid current tab name.');
+ }
return $_SESSION["s"]["form"]["tab"];
}
diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php
index e0ff25145575407e09e062b40f57e462e99c5c2d..f277c51274f3e8e4f9c5f03814f07367c7a8fcf2 100644
--- a/interface/lib/classes/tform_actions.inc.php
+++ b/interface/lib/classes/tform_actions.inc.php
@@ -287,7 +287,7 @@ class tform_actions {
global $app, $conf;
$app->tpl->setVar("error", "
".$app->tform->errorMessage."");
- $app->tpl->setVar($this->dataRecord);
+ $app->tpl->setVar($this->dataRecord, null, true);
$this->onShow();
}
diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php
index d06072e830c75e9b33e7abe960c3ef69311d1d31..0e839c53d3e5aec2263032a896e81b13aa2369e5 100644
--- a/interface/lib/classes/tform_base.inc.php
+++ b/interface/lib/classes/tform_base.inc.php
@@ -245,7 +245,7 @@ class tform_base {
*/
function decode($record, $tab) {
global $conf, $app;
- if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: $tab).");
+ if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab does not exist or the tab is empty (TAB: ".$app->functions->htmlentities($tab).").");
return $this->_decode($record, $tab, false);
}
@@ -416,7 +416,7 @@ class tform_base {
$this->action = $action;
if(!is_array($this->formDef)) $app->error("No form definition found.");
- if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
+ if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
/* CSRF PROTECTION */
// generate csrf protection id and key
@@ -868,7 +868,7 @@ class tform_base {
function encode($record, $tab, $dbencode = true) {
global $app;
- if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: $tab).");
+ if(!is_array($this->formDef['tabs'][$tab])) $app->error("Tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
return $this->_encode($record, $tab, $dbencode, false);
}
@@ -1437,7 +1437,7 @@ class tform_base {
}
if(!is_array($this->formDef)) $app->error("Form definition not found.");
- if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: $tab).");
+ if(!is_array($this->formDef['tabs'][$tab])) $app->error("The tab is empty or does not exist (TAB: ".$app->functions->htmlentities($tab).").");
return $this->_getSQL($record, $tab, $action, $primary_id, $sql_ext_where, false);
}
diff --git a/interface/lib/classes/tpl.inc.php b/interface/lib/classes/tpl.inc.php
index 2104cf61a5f50ea4dbd3e2bd52eb19c496158496..efaf4c072a8ceac226b9fb5d243fdadb4fa0d9f7 100644
--- a/interface/lib/classes/tpl.inc.php
+++ b/interface/lib/classes/tpl.inc.php
@@ -226,21 +226,26 @@ if (!defined('vlibTemplateClassLoaded')) {
* using the keys as variable names and the values as variable values.
* @param mixed $k key to define variable name
* @param mixed $v variable to assign to $k
+ * @param bool $encode if set to true use htmlentities on values
* @return boolean true/false
* @access public
*/
- public function setVar($k, $v = null)
+ public function setVar($k, $v = null, $encode = false)
{
+ global $app;
+
if (is_array($k)) {
foreach($k as $key => $value){
$key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key);
if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) {
+ if($encode == true) $value = $app->functions->htmlentities($value);
$this->_vars[$key] = $value;
}
}
} else {
if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) {
if ($this->OPTIONS['CASELESS']) $k = strtolower($k);
+ if($encode == true) $v = $app->functions->htmlentities($v);
$this->_vars[trim($k)] = $v;
} else {
return false;
diff --git a/interface/web/admin/directive_snippets_edit.php b/interface/web/admin/directive_snippets_edit.php
index de803581e07d373a23bfce05e490772d041788b4..b12da0a79bf28f000b0c11103db13482557608ad 100644
--- a/interface/web/admin/directive_snippets_edit.php
+++ b/interface/web/admin/directive_snippets_edit.php
@@ -70,9 +70,9 @@ class page_action extends tform_actions {
if($this->id > 0){
if($this->dataRecord['master_directive_snippets_id'] > 0){
$is_master = true;
- $app->tpl->setVar("name", $this->dataRecord['name']);
- $app->tpl->setVar("type", $this->dataRecord['type']);
- $app->tpl->setVar("snippet", $this->dataRecord['snippet']);
+ $app->tpl->setVar("name", $this->dataRecord['name'], true);
+ $app->tpl->setVar("type", $this->dataRecord['type'], true);
+ $app->tpl->setVar("snippet", $this->dataRecord['snippet'], true);
}
}
$app->tpl->setVar("is_master", $is_master);
diff --git a/interface/web/admin/firewall_edit.php b/interface/web/admin/firewall_edit.php
index 4ee72aa954c6baf3302154e359c03b7a70aef261..01cad2b815b1c09775bf0a95ac31b57e01dcefec 100644
--- a/interface/web/admin/firewall_edit.php
+++ b/interface/web/admin/firewall_edit.php
@@ -57,7 +57,7 @@ class page_action extends tform_actions {
if($this->id ==0) { //* new record
$server_list = $app->db->queryAllRecords("SELECT server_id, server_name FROM server WHERE server_id NOT IN (SELECT server_id FROM firewall) ORDER BY server_name");
if(is_array($server_list)) {
- foreach( $server_list as $server) $server_select .= "\r\n";
+ foreach( $server_list as $server) $server_select .= "\r\n";
}
$app->tpl->setVar('server_id', $server_select);
}
diff --git a/interface/web/admin/server_edit.php b/interface/web/admin/server_edit.php
index 5b446c0494adea6818d9292e830718c9efd435f6..b146d8f295d991ed6161f59349373a3800561aa0 100644
--- a/interface/web/admin/server_edit.php
+++ b/interface/web/admin/server_edit.php
@@ -61,7 +61,7 @@ class page_action extends tform_actions {
if(is_array($mirror_servers)) {
foreach( $mirror_servers as $mirror_server) {
$selected = ($mirror_server["server_id"] == $this->dataRecord['mirror_server_id'])?'SELECTED':'';
- $mirror_server_select .= "\r\n";
+ $mirror_server_select .= "\r\n";
}
}
$app->tpl->setVar("mirror_server_id", $mirror_server_select);
diff --git a/interface/web/admin/server_ip_map_edit.php b/interface/web/admin/server_ip_map_edit.php
index 4442287132f6f8c1c9b775b178c9b69dc1297d85..b5188673093184891d15b04dea9e82fed61f6d09 100644
--- a/interface/web/admin/server_ip_map_edit.php
+++ b/interface/web/admin/server_ip_map_edit.php
@@ -52,7 +52,7 @@ class page_action extends tform_actions {
if(is_array($servers)) {
foreach($servers as $server) {
$selected = ($server['server_id'] == $this->dataRecord['server_id'])?'SELECTED':'';
- $server_select .= "\r\n";
+ $server_select .= "\r\n";
}
}
unset($servers);
@@ -65,7 +65,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip['ip_address'] == $this->dataRecord['source_ip'])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
unset($ips);
diff --git a/interface/web/client/client_del.php b/interface/web/client/client_del.php
index 1540bfbfd7528d3f8bb8a5e91a9bc96aa140aa03..8bef6e9d634868439d7d57ff49f8ab78e4341e26 100644
--- a/interface/web/client/client_del.php
+++ b/interface/web/client/client_del.php
@@ -128,13 +128,12 @@ class page_action extends tform_actions {
$app->db->query("DELETE FROM sys_user WHERE client_id = ?", $client_id);
// Delete all records (sub-clients, mail, web, etc....) of this client.
- $tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_folder,web_folder_user,domain,mail_mailinglist';
+ $tables = 'client,dns_rr,dns_soa,dns_slave,ftp_user,mail_access,mail_content_filter,mail_domain,mail_forwarding,mail_get,mail_user,mail_user_filter,shell_user,spamfilter_users,support_message,web_database,web_database_user,web_domain,web_folder,web_folder_user,domain,mail_mailinglist,spamfilter_wblist';
$tables_array = explode(',', $tables);
$client_group_id = $app->functions->intval($client_group['groupid']);
if($client_group_id > 1) {
foreach($tables_array as $table) {
if($table != '') {
- $records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ?", $table, $client_group_id);
//* find the primary ID of the table
$table_info = $app->db->tableInfo($table);
$index_field = '';
@@ -143,6 +142,7 @@ class page_action extends tform_actions {
}
//* Delete the records
if($index_field != '') {
+ $records = $app->db->queryAllRecords("SELECT * FROM ?? WHERE sys_groupid = ? ORDER BY ?? DESC", $table, $client_group_id, $index_field);
if(is_array($records)) {
foreach($records as $rec) {
$app->db->datalogDelete($table, $index_field, $rec[$index_field]);
diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php
index eb8bcdbae244e1e5a93958cd2a3f8cabf042ffb6..b4638bd2151ce076df7d96970166e163552d21ea 100644
--- a/interface/web/client/client_message.php
+++ b/interface/web/client/client_message.php
@@ -114,9 +114,9 @@ if(isset($_POST) && count($_POST) > 1) {
}
} else {
- $app->tpl->setVar('sender', $_POST['sender']);
- $app->tpl->setVar('subject', $_POST['subject']);
- $app->tpl->setVar('message', $_POST['message']);
+ $app->tpl->setVar('sender', $_POST['sender'], true);
+ $app->tpl->setVar('subject', $_POST['subject'], true);
+ $app->tpl->setVar('message', $_POST['message'], true);
}
} else {
// pre-fill Sender field with reseller's email address
diff --git a/interface/web/client/message_template_edit.php b/interface/web/client/message_template_edit.php
index 7d285ac7ef86e6bd1f6ee7a379ef21cb24f62e7d..1c11ff89577afc49c921d82646e5749fb342ec1b 100644
--- a/interface/web/client/message_template_edit.php
+++ b/interface/web/client/message_template_edit.php
@@ -80,7 +80,7 @@ class page_action extends tform_actions {
if($field_name['Field'] == 'gender'){
$message_variables .= '{salutation} ';
} else {
- $message_variables .= '{'.$field_name['Field'].'} ';
+ $message_variables .= '{'.$app->functions->htmlentities($field_name['Field']).'} ';
}
}
}
diff --git a/interface/web/dns/dns_dkim_edit.php b/interface/web/dns/dns_dkim_edit.php
index 7f7e6856dbe45c494a3121277bcbb669774519c5..35bac0d0c6254b642fc8a198b28209cb64109f49 100644
--- a/interface/web/dns/dns_dkim_edit.php
+++ b/interface/web/dns/dns_dkim_edit.php
@@ -76,8 +76,8 @@ class page_action extends tform_actions {
if(isset($sql['domain']) && $sql['domain'] != '') {
if($sql['dkim'] == 'y') {
$public_key=str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$sql['dkim_public']);
- $app->tpl->setVar('public_key', $public_key);
- $app->tpl->setVar('selector', $sql['dkim_selector']);
+ $app->tpl->setVar('public_key', $public_key, true);
+ $app->tpl->setVar('selector', $sql['dkim_selector'], true);
} else {
//TODO: show warning - use mail_domain for dkim and enabled dkim
}
@@ -85,7 +85,7 @@ class page_action extends tform_actions {
} else {
$app->tpl->setVar('edit_disabled', 0);
}
- $app->tpl->setVar('name', $soa['origin']);
+ $app->tpl->setVar('name', $soa['origin'], true);
}
diff --git a/interface/web/dns/dns_dmarc_edit.php b/interface/web/dns/dns_dmarc_edit.php
index c806c7c20e4a44c35f4866c3a5b93dc2531b2288..7f915074d75deccbf9f3f62cbb2e75a7b8ab6da2 100644
--- a/interface/web/dns/dns_dmarc_edit.php
+++ b/interface/web/dns/dns_dmarc_edit.php
@@ -93,7 +93,7 @@ class page_action extends tform_actions {
if ( isset($rec) && !empty($rec) ) {
$this->id = 1;
$old_data = strtolower($rec['data']);
- $app->tpl->setVar("data", $old_data);
+ $app->tpl->setVar("data", $old_data, true);
if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED");
$dmarc_rua = '';
$dmarc_ruf = '';
@@ -123,7 +123,7 @@ class page_action extends tform_actions {
}
//set html-values
- $app->tpl->setVar('domain', $domain_name);
+ $app->tpl->setVar('domain', $domain_name, true);
//create dmarc-policy-list
$dmarc_policy_value = array(
@@ -138,9 +138,9 @@ class page_action extends tform_actions {
}
$app->tpl->setVar('dmarc_policy', $dmarc_policy_list);
- if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua);
+ if (!empty($dmarc_rua)) $app->tpl->setVar("dmarc_rua", $dmarc_rua, true);
- if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf);
+ if (!empty($dmarc_ruf)) $app->tpl->setVar("dmarc_ruf", $dmarc_ruf, true);
//set dmarc-fo-options
if (isset($dmarc_fo)) {
@@ -178,9 +178,9 @@ class page_action extends tform_actions {
if ( strpos($dmarc_rf, 'afrf') !== false ) $app->tpl->setVar("dmarc_rf_afrf", 'CHECKED');
if ( strpos($dmarc_rf, 'iodef') !== false ) $app->tpl->setVar("dmarc_rf_iodef", 'CHECKED');
- $app->tpl->setVar("dmarc_pct", $dmarc_pct);
+ $app->tpl->setVar("dmarc_pct", $dmarc_pct, true);
- $app->tpl->setVar("dmarc_ri", $dmarc_ri);
+ $app->tpl->setVar("dmarc_ri", $dmarc_ri, true);
//create dmarc-sp-list
$dmarc_sp_value = array(
diff --git a/interface/web/dns/dns_import.php b/interface/web/dns/dns_import.php
index fb66b7b176ae6392add54894cab364f0b3d6fbe1..405e437838a4895687790f11fbe5dcd971477560 100644
--- a/interface/web/dns/dns_import.php
+++ b/interface/web/dns/dns_import.php
@@ -587,6 +587,15 @@ if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'
if($dns_rr[$r]['type'] == 'NS' && $dns_rr[$r]['name'] == $soa['name']){
unset($dns_rr[$r]);
}
+
+ $valid = true;
+ $dns_rr[$r]['ttl'] = $app->functions->intval($dns_rr[$r]['ttl']);
+ $dns_rr[$r]['aux'] = $app->functions->intval($dns_rr[$r]['aux']);
+ $dns_rr[$r]['data'] = strip_tags($dns_rr[$r]['data']);
+ if(!preg_match('/^[a-zA-Z0-9\.\-\*]{0,64}$/',$dns_rr[$r]['name'])) $valid == false;
+ if(!in_array(strtoupper($dns_rr[$r]['type']),array('A','AAAA','ALIAS','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY'))) $valid == false;
+ if($valid == false) unset($dns_rr[$r]);
+
$r++;
}
$i++;
diff --git a/interface/web/dns/dns_slave_edit.php b/interface/web/dns/dns_slave_edit.php
index 4d588ef8e032ab1e0bfd3ae270aacb6bc8292d85..117b101b875de812e10160b1bfe37031164cecb8 100644
--- a/interface/web/dns/dns_slave_edit.php
+++ b/interface/web/dns/dns_slave_edit.php
@@ -132,7 +132,7 @@ class page_action extends tform_actions {
if ($domain['domain'].'.' == $this->dataRecord["origin"]) {
$domain_select .= " selected";
}
- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".\r\n";
+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".\r\n";
}
}
else {
@@ -149,7 +149,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+ $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php
index 6faefac3903ec588d400fa2b8bb48e69a612ac35..9b36daee1500fb07ecf1c8b5f43668be3a063c96 100644
--- a/interface/web/dns/dns_soa_edit.php
+++ b/interface/web/dns/dns_soa_edit.php
@@ -179,7 +179,7 @@ class page_action extends tform_actions {
$options_dns_servers = "";
foreach ($dns_servers as $dns_server) {
- $options_dns_servers .= '';
+ $options_dns_servers .= '';
}
$app->tpl->setVar("client_server_id", $options_dns_servers);
@@ -200,7 +200,7 @@ class page_action extends tform_actions {
if ($domain['domain'].'.' == $this->dataRecord["origin"]) {
$domain_select .= " selected";
}
- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . ".\r\n";
+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . ".\r\n";
}
}
else {
@@ -217,12 +217,12 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+ $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
$datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id);
if(is_array($datalog) && !empty($datalog)){
if(trim($datalog['error']) != ''){
- $app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error'])));
+ $app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error'])));
$app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp']));
}
}
diff --git a/interface/web/dns/dns_spf_edit.php b/interface/web/dns/dns_spf_edit.php
index ca109272d8aa17111c7094c7a5eb05386a0feb7a..94096662a1e8e0af7e0e228d322d0c955076b8f2 100644
--- a/interface/web/dns/dns_spf_edit.php
+++ b/interface/web/dns/dns_spf_edit.php
@@ -83,7 +83,7 @@ class page_action extends tform_actions {
$this->id = 1;
$old_data = strtolower($rec['data']);
- $app->tpl->setVar("data", $old_data);
+ $app->tpl->setVar("data", $old_data, true);
if ($rec['active'] == 'Y') $app->tpl->setVar("active", "CHECKED"); else $app->tpl->setVar("active", "UNCHECKED");
$spf_hostname = '';
@@ -108,9 +108,9 @@ class page_action extends tform_actions {
}
//set html-values
- $app->tpl->setVar("spf_ip", $spf_ip);
- $app->tpl->setVar("spf_hostname", $spf_hostname);
- $app->tpl->setVar("spf_domain", $spf_domain);
+ $app->tpl->setVar("spf_ip", $spf_ip, true);
+ $app->tpl->setVar("spf_hostname", $spf_hostname, true);
+ $app->tpl->setVar("spf_domain", $spf_domain, true);
//create spf-mechanism-list
$spf_mechanism_value = array(
'+' => 'spf_mechanism_pass_txt',
diff --git a/interface/web/dns/dns_srv_edit.php b/interface/web/dns/dns_srv_edit.php
index e2b290ab9f1f52a1a3ab3a6786aa5ef5f5b0fdf8..16c1086db3a74452c56a37510a9ef9862739169d 100644
--- a/interface/web/dns/dns_srv_edit.php
+++ b/interface/web/dns/dns_srv_edit.php
@@ -51,9 +51,9 @@ class page_action extends dns_page_action {
// Split the 3 parts of the SRV Record apart
$split = explode(' ', $this->dataRecord['data']);
- $app->tpl->setVar('weight', $split[0]);
- $app->tpl->setVar('port', $split[1]);
- $app->tpl->setVar('target', $split[2]);
+ $app->tpl->setVar('weight', $split[0], true);
+ $app->tpl->setVar('port', $split[1], true);
+ $app->tpl->setVar('target', $split[2], true);
parent::onShowEnd();
}
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
index 0e955bee09044a9a339b90ea74b631b0ff619db3..32112560a48ba9747f18eee43570acb6c4a96493 100644
--- a/interface/web/dns/dns_wizard.php
+++ b/interface/web/dns/dns_wizard.php
@@ -183,7 +183,7 @@ if(is_array($fields)) {
} else {
$app->tpl->setVar($field."_VISIBLE", 1);
$field = strtolower($field);
- $app->tpl->setVar($field, $_POST[$field]);
+ $app->tpl->setVar($field, $_POST[$field], true);
}
}
}
diff --git a/interface/web/help/faq_delete.php b/interface/web/help/faq_delete.php
index e8f36272786fec032bb0d9d23df22a8258b4199a..c1faed60d99afdad537d4447cd009d2f7e49ff50 100644
--- a/interface/web/help/faq_delete.php
+++ b/interface/web/help/faq_delete.php
@@ -9,10 +9,7 @@ require_once '../../lib/config.inc.php';
require_once '../../lib/app.inc.php';
// Check module permissions
-if(!stristr($_SESSION['s']['user']['modules'], 'help')) {
- header('Location: ../index.php');
- die;
-}
+$app->auth->check_module_permissions('admin');
// Load the form
$app->uses('tform_actions');
diff --git a/interface/web/help/faq_edit.php b/interface/web/help/faq_edit.php
index 629bde88c798f7105ad1b3621ab3cfcfa85fc06f..397f5cccf4233b4a5cefb4485a1f27617d68a1cf 100644
--- a/interface/web/help/faq_edit.php
+++ b/interface/web/help/faq_edit.php
@@ -8,10 +8,7 @@ require_once '../../lib/config.inc.php';
require_once '../../lib/app.inc.php';
// Check the module permissions and redirect if not allowed.
-if(!stristr($_SESSION['s']['user']['modules'], 'help')) {
- header('Location: ../index.php');
- die;
-}
+$app->auth->check_module_permissions('admin');
// Load the templating and form classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/help/faq_list.php b/interface/web/help/faq_list.php
index 128480dca2c2573d3dcb630a4a4d0730d00ce640..ed5ffa4fab21103e0bc9026f0466decef1d224dc 100644
--- a/interface/web/help/faq_list.php
+++ b/interface/web/help/faq_list.php
@@ -7,10 +7,7 @@ require_once '../../lib/app.inc.php';
$list_def_file = 'list/faq_list.php';
// Check the module permissions
-if(!stristr($_SESSION['s']['user']['modules'], 'help')) {
- header('Location: ../index.php');
- die();
-}
+$app->auth->check_module_permissions('help');
// Loading the class
$app->uses('listform_actions');
@@ -31,7 +28,7 @@ $app->listform_actions->SQLExtWhere = "help_faq.hf_section = $hf_section";
if($hf_section) $res = $app->db->queryOneRecord("SELECT hfs_name FROM help_faq_sections WHERE hfs_id=?", $hf_section);
// Start the form rendering and action ahndling
-echo "FAQ: ".$res['hfs_name']."
";
+echo "FAQ: ".$app->functions->htmlentities($res['hfs_name'])."
";
if($hf_section) $app->listform_actions->onLoad();
?>
diff --git a/interface/web/help/faq_manage_questions_list.php b/interface/web/help/faq_manage_questions_list.php
index e72824458683f78bd7a2c8323049a5c636931bd3..ae29e752fca36db0737c78171658ab5077dda556 100644
--- a/interface/web/help/faq_manage_questions_list.php
+++ b/interface/web/help/faq_manage_questions_list.php
@@ -6,7 +6,7 @@ require_once '../../lib/app.inc.php';
$list_def_file = "list/faq_manage_questions_list.php";
//* Check permissions for module
-$app->auth->check_module_permissions('help');
+$app->auth->check_module_permissions('admin');
//* Loading the class
$app->uses('listform_actions');
diff --git a/interface/web/help/faq_sections_delete.php b/interface/web/help/faq_sections_delete.php
index adcacf4376233fe21b53068b89986d736282ae68..865071ff252cc507ef6748322f38cfa341e648d9 100644
--- a/interface/web/help/faq_sections_delete.php
+++ b/interface/web/help/faq_sections_delete.php
@@ -9,10 +9,7 @@ require_once '../../lib/config.inc.php';
require_once '../../lib/app.inc.php';
// Check module permissions
-if(!stristr($_SESSION['s']['user']['modules'], 'help')) {
- header('Location: ../index.php');
- die;
-}
+$app->auth->check_module_permissions('admin');
// Load the form
$app->uses('tform_actions');
diff --git a/interface/web/help/faq_sections_edit.php b/interface/web/help/faq_sections_edit.php
index 32f0123466c98c6c80235cf4888a459521569afe..f146db8605dd34e9c9980871f4a88923c431c9b5 100644
--- a/interface/web/help/faq_sections_edit.php
+++ b/interface/web/help/faq_sections_edit.php
@@ -8,10 +8,7 @@ require_once '../../lib/config.inc.php';
require_once '../../lib/app.inc.php';
// Check the module permissions and redirect if not allowed.
-if(!stristr($_SESSION['s']['user']['modules'], 'help')) {
- header('Location: ../index.php');
- die;
-}
+$app->auth->check_module_permissions('admin');
// Load the templating and form classes
$app->uses('tpl,tform,tform_actions');
diff --git a/interface/web/help/faq_sections_list.php b/interface/web/help/faq_sections_list.php
index 4acb4ae20e107942d62815d38d93baa176d39373..7ce9fb0235cba91f44c3930e98b423c0340c1ba2 100644
--- a/interface/web/help/faq_sections_list.php
+++ b/interface/web/help/faq_sections_list.php
@@ -7,10 +7,7 @@ require_once '../../lib/app.inc.php';
$list_def_file = 'list/faq_sections_list.php';
// Check the module permissions
-if(!stristr($_SESSION['s']['user']['modules'], 'help')) {
- header('Location: ../index.php');
- die();
-}
+$app->auth->check_module_permissions('admin');
// Loading the class
$app->uses('listform_actions');
diff --git a/interface/web/help/form/faq.tform.php b/interface/web/help/form/faq.tform.php
index e795f3566f034c9f56a2f79f1f221e31b45a2fc2..e440de7e6b87103b3f42e04784192268cf4bb61c 100644
--- a/interface/web/help/form/faq.tform.php
+++ b/interface/web/help/form/faq.tform.php
@@ -79,6 +79,12 @@ $form['tabs']['message'] = array(
'errmsg'=> 'subject_is_empty'
),
),
+ 'filters' => array(
+ 0 => array( 'event' => 'SAVE',
+ 'type' => 'STRIPTAGS'),
+ 1 => array( 'event' => 'SAVE',
+ 'type' => 'STRIPNL')
+ ),
'default' => '',
'value' => '',
'width' => '30',
diff --git a/interface/web/help/templates/help_faq_list.htm b/interface/web/help/templates/help_faq_list.htm
index e81dae2e0ba7279ce2c4f5a03203c4e0e04cf15f..28850fe8300e881a6a8407e5e27c516ec48e0ef1 100644
--- a/interface/web/help/templates/help_faq_list.htm
+++ b/interface/web/help/templates/help_faq_list.htm
@@ -12,5 +12,3 @@
-
-
diff --git a/interface/web/index.php b/interface/web/index.php
index 4a2103208101e69633d6a18923fc1d81f9137b7e..1bccb1ebe17093938c57fcfadaba577057875ea4 100644
--- a/interface/web/index.php
+++ b/interface/web/index.php
@@ -41,7 +41,7 @@ if(!isset($_SESSION['s']['module']['name'])) $_SESSION['s']['module']['name'] =
$app->uses('tpl');
$app->tpl->newTemplate('main.tpl.htm');
-$app->tpl->setVar('startpage', isset($_SESSION['s']['module']['startpage']) ? $_SESSION['s']['module']['startpage'] : '');
+$app->tpl->setVar('startpage', isset($_SESSION['s']['module']['startpage']) ? $_SESSION['s']['module']['startpage'] : '', true);
$app->tpl->setVar('logged_in', ($_SESSION['s']['user']['active'] != 1 ? 'n' : 'y'));
// tab change warning?
@@ -93,7 +93,7 @@ if(@is_dir($js_d)) {
if (!empty($js_d_files)) $app->tpl->setLoop('js_d_includes', $js_d_files);
unset($js_d_files);
-$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
+$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true);
// Logo
$logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1");
diff --git a/interface/web/login/index.php b/interface/web/login/index.php
index bccf4330af9e6dedc0c9328976cddd9ccb5cf361..441de353ca5aa41fff7f7eaf8a96d1f7422be4a3 100644
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -340,7 +340,7 @@ $app->tpl->setVar('login_button_txt', $app->lng('login_button_txt'));
$app->tpl->setVar('session_timeout', $server_config_array['session_timeout']);
$app->tpl->setVar('session_allow_endless', $server_config_array['session_allow_endless']);
//$app->tpl->setInclude('content_tpl', 'login/templates/index.htm');
-$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
+$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true);
//die(isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
// Logo
diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php
index c0d454cd326fce1f1e6ae5d72b55bcf5675cfbb2..e6976bff734798d0c5ee59440c161f072465540c 100644
--- a/interface/web/login/password_reset.php
+++ b/interface/web/login/password_reset.php
@@ -156,7 +156,7 @@ if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '
if(isset($_POST) && count($_POST) > 0) $app->tpl->setVar("msg", $wb['pw_error_noinput']);
}
-$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
+$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true);
// Logo
$logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1");
diff --git a/interface/web/mail/form/mail_forward.tform.php b/interface/web/mail/form/mail_forward.tform.php
index 260d953982778b81ccc453b926e398f84b52f3e0..3c902b4221f717c456133c748238c8e1d77304cd 100644
--- a/interface/web/mail/form/mail_forward.tform.php
+++ b/interface/web/mail/form/mail_forward.tform.php
@@ -100,9 +100,7 @@ $form["tabs"]['forward'] = array (
2 => array( 'event' => 'SAVE',
'type' => 'TOLOWER'),
3 => array( 'event' => 'SAVE',
- 'type' => 'STRIPTAGS'),
- 4 => array( 'event' => 'SAVE',
- 'type' => 'STRIPNL')
+ 'type' => 'STRIPTAGS')
),
'default' => '',
'value' => '',
diff --git a/interface/web/mail/mail_alias_edit.php b/interface/web/mail/mail_alias_edit.php
index 4292f8f4c2e405c45256a8cdf35000c9eefe8f3c..eb7ff4b4d639f34b887ea6f96bfdd5c1b414d2aa 100644
--- a/interface/web/mail/mail_alias_edit.php
+++ b/interface/web/mail/mail_alias_edit.php
@@ -83,7 +83,7 @@ class page_action extends tform_actions {
foreach( $domains as $domain) {
$domain['domain'] = $app->functions->idn_decode($domain['domain']);
$selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':'';
- $domain_select .= "\r\n";
+ $domain_select .= "\r\n";
}
}
$app->tpl->setVar("email_domain", $domain_select);
diff --git a/interface/web/mail/mail_aliasdomain_edit.php b/interface/web/mail/mail_aliasdomain_edit.php
index 918a5f3a05b47a9e3a16a328c030e4d8eaafa35d..ef3b16275c5bf4bf69e5df1de50aa10150cd1d41 100644
--- a/interface/web/mail/mail_aliasdomain_edit.php
+++ b/interface/web/mail/mail_aliasdomain_edit.php
@@ -82,9 +82,9 @@ class page_action extends tform_actions {
foreach( $domains as $domain) {
$domain['domain'] = $app->functions->idn_decode($domain['domain']);
$selected = ($domain["domain"] == @$source_domain)?'SELECTED':'';
- $source_select .= "\r\n";
+ $source_select .= "\r\n";
$selected = ($domain["domain"] == @$destination_domain)?'SELECTED':'';
- $destination_select .= "\r\n";
+ $destination_select .= "\r\n";
}
}
$app->tpl->setVar("source_domain", $source_select);
diff --git a/interface/web/mail/mail_domain_catchall_edit.php b/interface/web/mail/mail_domain_catchall_edit.php
index 60da619e14363aaaa6903febdb4ec81df3e7ed76..4ef18d45e7c8fee393a5b0666c8e5bf6cf6a1bba 100644
--- a/interface/web/mail/mail_domain_catchall_edit.php
+++ b/interface/web/mail/mail_domain_catchall_edit.php
@@ -82,7 +82,7 @@ class page_action extends tform_actions {
foreach( $domains as $domain) {
$domain['domain'] = $app->functions->idn_decode($domain['domain']);
$selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':'';
- $domain_select .= "\r\n";
+ $domain_select .= "\r\n";
}
}
$app->tpl->setVar("email_domain", $domain_select);
diff --git a/interface/web/mail/mail_domain_edit.php b/interface/web/mail/mail_domain_edit.php
index 7565752bd31c575d38731fe09af55c191ba81c70..d7d6ea4c6862bda5ff179078ae38f8efb3474c28 100644
--- a/interface/web/mail/mail_domain_edit.php
+++ b/interface/web/mail/mail_domain_edit.php
@@ -101,7 +101,7 @@ class page_action extends tform_actions {
// Set the mailserver to the default server of the client
$tmp = $app->db->queryOneRecord("SELECT server_name FROM server WHERE server_id = ?", $client['default_mailserver']);
- $app->tpl->setVar("server_id", "");
+ $app->tpl->setVar("server_id", "");
unset($tmp);
if ($settings['use_domain_module'] != 'y') {
@@ -142,7 +142,7 @@ class page_action extends tform_actions {
$options_mail_servers = "";
foreach ($mail_servers as $mail_server) {
- $options_mail_servers .= '';
+ $options_mail_servers .= '';
}
$app->tpl->setVar("client_server_id", $options_mail_servers);
@@ -167,7 +167,7 @@ class page_action extends tform_actions {
if ($domain['domain'] == $this->dataRecord["domain"]) {
$domain_select .= " selected";
}
- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n";
+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n";
}
}
else {
@@ -193,7 +193,7 @@ class page_action extends tform_actions {
if(is_array($policys)) {
foreach( $policys as $p) {
$selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':'';
- $policy_select .= "\r\n";
+ $policy_select .= "\r\n";
}
}
$app->tpl->setVar("policy", $policy_select);
@@ -204,7 +204,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+ $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
@@ -214,10 +214,10 @@ class page_action extends tform_actions {
$rec = $app->db->queryOneRecord($sql, $app->functions->intval($_GET['id']));
$dns_key = str_replace(array('-----BEGIN PUBLIC KEY-----','-----END PUBLIC KEY-----',"\r","\n"),'',$rec['dkim_public']);
$dns_record = $rec['dkim_selector'] . '._domainkey.' . $rec['domain'] . '. 3600 TXT v=DKIM1; t=s; p=' . $dns_key;
- $app->tpl->setVar('dkim_selector', $rec['dkim_selector']);
- $app->tpl->setVar('dkim_private', $rec['dkim_private']);
- $app->tpl->setVar('dkim_public', $rec['dkim_public']);
- if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record);
+ $app->tpl->setVar('dkim_selector', $rec['dkim_selector'], true);
+ $app->tpl->setVar('dkim_private', $rec['dkim_private'], true);
+ $app->tpl->setVar('dkim_public', $rec['dkim_public'], true);
+ if (!empty($rec['dkim_public'])) $app->tpl->setVar('dns_record', $dns_record, true);
parent::onShowEnd();
}
diff --git a/interface/web/mail/mail_forward_edit.php b/interface/web/mail/mail_forward_edit.php
index 17ce213cb2a31a511bf09173a55493497b0b305f..ee8c5f29971b38bbe2cf27e674496eca68a1bb9a 100644
--- a/interface/web/mail/mail_forward_edit.php
+++ b/interface/web/mail/mail_forward_edit.php
@@ -82,7 +82,7 @@ class page_action extends tform_actions {
foreach( $domains as $domain) {
$domain['domain'] = $app->functions->idn_decode($domain['domain']);
$selected = (isset($email_parts[1]) && $domain["domain"] == $email_parts[1])?'SELECTED':'';
- $domain_select .= "\r\n";
+ $domain_select .= "\r\n";
}
$app->tpl->setVar("email_domain", $domain_select);
diff --git a/interface/web/mail/mail_mailinglist_edit.php b/interface/web/mail/mail_mailinglist_edit.php
index 1419627529253adf23bba5bdfb5f00ba0de749d5..57d9c77f2efe9f01a0f22a51566fe1d034155684 100644
--- a/interface/web/mail/mail_mailinglist_edit.php
+++ b/interface/web/mail/mail_mailinglist_edit.php
@@ -116,7 +116,7 @@ class page_action extends tform_actions {
if(is_array($domains)) {
foreach( $domains as $domain) {
$selected = ($domain["domain"] == $this->dataRecord["domain"])?'SELECTED':'';
- $domain_select .= "\r\n";
+ $domain_select .= "\r\n";
}
}
$app->tpl->setVar("domain_option", $domain_select);
@@ -124,9 +124,9 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("listname_value", $this->dataRecord["listname"]);
- $app->tpl->setVar("domain_value", $this->dataRecord["domain"]);
- $app->tpl->setVar("email_value", $this->dataRecord["email"]);
+ $app->tpl->setVar("listname_value", $this->dataRecord["listname"], true);
+ $app->tpl->setVar("domain_value", $this->dataRecord["domain"], true);
+ $app->tpl->setVar("email_value", $this->dataRecord["email"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/interface/web/mail/mail_spamfilter_edit.php b/interface/web/mail/mail_spamfilter_edit.php
index 6282a38b0ff85596a30322381133af5f9a8772ca..c47ec8b41a72072a94a670cd8702e1b051f735d3 100644
--- a/interface/web/mail/mail_spamfilter_edit.php
+++ b/interface/web/mail/mail_spamfilter_edit.php
@@ -67,7 +67,7 @@ class page_action extends tform_actions {
$domain_select = '';
foreach( $domains as $domain) {
$selected = ($domain["domain"] == $email_parts[1])?'SELECTED':'';
- $domain_select .= "\r\n";
+ $domain_select .= "\r\n";
}
$app->tpl->setVar("email_domain", $domain_select);
diff --git a/interface/web/mail/mail_transport_edit.php b/interface/web/mail/mail_transport_edit.php
index 9707d2fce018433c4e8c0c84a61ba9649548d06a..65667726ad39ff8d6c0d5d5d8b18adc51b6ef705 100644
--- a/interface/web/mail/mail_transport_edit.php
+++ b/interface/web/mail/mail_transport_edit.php
@@ -70,6 +70,7 @@ class page_action extends tform_actions {
function onShowEnd() {
global $app, $conf;
+ $rec = array();
$types = array('smtp' => 'smtp', 'uucp' => 'uucp', 'slow' => 'slow', 'error' => 'error', 'custom' => 'custom', '' => 'null');
$tmp_parts = explode(":", $this->dataRecord["transport"]);
if(!empty($this->id) && !stristr($this->dataRecord["transport"], ':')) {
@@ -106,7 +107,7 @@ class page_action extends tform_actions {
}
}
$rec["type"] = $type_select;
- $app->tpl->setVar($rec);
+ $app->tpl->setVar($rec, null, true);
unset($type);
unset($types);
diff --git a/interface/web/mail/mail_user_edit.php b/interface/web/mail/mail_user_edit.php
index 87d3be66bbf2f4a21b0dbf12d7de76f5ab3cf34d..6cf9b34e3649b6b352d7b05fa65fcb5ceda0a58e 100644
--- a/interface/web/mail/mail_user_edit.php
+++ b/interface/web/mail/mail_user_edit.php
@@ -84,7 +84,7 @@ class page_action extends tform_actions {
foreach( $domains as $domain) {
$domain['domain'] = $app->functions->idn_decode($domain['domain']);
$selected = ($domain["domain"] == @$email_parts[1])?'SELECTED':'';
- $domain_select .= "\r\n";
+ $domain_select .= "\r\n";
}
}
$app->tpl->setVar("email_domain", $domain_select);
@@ -100,7 +100,7 @@ class page_action extends tform_actions {
if(is_array($policys)) {
foreach( $policys as $p) {
$selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':'';
- $policy_select .= "\r\n";
+ $policy_select .= "\r\n";
}
}
$app->tpl->setVar("policy", $policy_select);
@@ -121,7 +121,7 @@ class page_action extends tform_actions {
if($this->dataRecord['autoresponder_subject'] == '') {
$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
} else {
- $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
+ $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
}
$app->uses('getconf');
diff --git a/interface/web/mail/xmpp_domain_edit.php b/interface/web/mail/xmpp_domain_edit.php
index 39132011148a73989d67a73cc7057e234f65bb2d..a89d27c4524a76332f22bbdf0f996ddc870e318f 100644
--- a/interface/web/mail/xmpp_domain_edit.php
+++ b/interface/web/mail/xmpp_domain_edit.php
@@ -165,7 +165,7 @@ class page_action extends tform_actions {
$options_xmpp_servers = "";
foreach ($xmpp_servers as $xmpp_server) {
- $options_xmpp_servers .= "";
+ $options_xmpp_servers .= "";
}
$app->tpl->setVar("client_server_id", $options_xmpp_servers);
@@ -190,7 +190,7 @@ class page_action extends tform_actions {
if ($domain['domain'] == $this->dataRecord["domain"]) {
$domain_select .= " selected";
}
- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n";
+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n";
}
}
else {
@@ -211,7 +211,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+ $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/interface/web/mail/xmpp_user_edit.php b/interface/web/mail/xmpp_user_edit.php
index 16d440a9f1a5419a968765eb602d077b43b3504e..188de01ae240d7f3331509e581c82df5df0b1494 100644
--- a/interface/web/mail/xmpp_user_edit.php
+++ b/interface/web/mail/xmpp_user_edit.php
@@ -83,7 +83,7 @@ class page_action extends tform_actions {
foreach( $domains as $domain) {
$domain['domain'] = $app->functions->idn_decode($domain['domain']);
$selected = ($domain["domain"] == @$jid_parts[1])?'SELECTED':'';
- $domain_select .= "\r\n";
+ $domain_select .= "\r\n";
}
}
$app->tpl->setVar("jid_domain", $domain_select);
diff --git a/interface/web/mailuser/mail_user_autoresponder_edit.php b/interface/web/mailuser/mail_user_autoresponder_edit.php
index 8007c0fd814ee934db7d7b08f43d18321fcffc41..d93151bf24094f72829e2da89dcfb5321b6ee413 100644
--- a/interface/web/mailuser/mail_user_autoresponder_edit.php
+++ b/interface/web/mailuser/mail_user_autoresponder_edit.php
@@ -84,7 +84,7 @@ class page_action extends tform_actions {
if($this->dataRecord['autoresponder_subject'] == '') {
$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
} else {
- $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
+ $app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
}
parent::onShowEnd();
diff --git a/interface/web/mailuser/mail_user_cc_edit.php b/interface/web/mailuser/mail_user_cc_edit.php
index 39e5bdf6f95b01fdf1d865aca92b70138ac5186e..778be781ece87a4d7ee5f35bc715c96aafb2cc01 100644
--- a/interface/web/mailuser/mail_user_cc_edit.php
+++ b/interface/web/mailuser/mail_user_cc_edit.php
@@ -75,7 +75,7 @@ class page_action extends tform_actions {
global $app, $conf;
$rec = $app->tform->getDataRecord($this->id);
- $app->tpl->setVar("email", $rec['email']);
+ $app->tpl->setVar("email", $rec['email'], true);
parent::onShowEnd();
}
diff --git a/interface/web/mailuser/mail_user_password_edit.php b/interface/web/mailuser/mail_user_password_edit.php
index 07a19259ea0d045e4d3d65ac939d32453dfb6b2f..5c5706177a6b2d0fa41b7a9edd386546764ed688 100644
--- a/interface/web/mailuser/mail_user_password_edit.php
+++ b/interface/web/mailuser/mail_user_password_edit.php
@@ -63,7 +63,7 @@ class page_action extends tform_actions {
global $app, $conf;
$rec = $app->tform->getDataRecord($_SESSION['s']['user']['mailuser_id']);
- $app->tpl->setVar("email", $rec['email']);
+ $app->tpl->setVar("email", $rec['email'], true);
parent::onShowEnd();
}
diff --git a/interface/web/mailuser/mail_user_spamfilter_edit.php b/interface/web/mailuser/mail_user_spamfilter_edit.php
index 9d3735672184d0d3c3596c0e7eb19fc59a6a27f8..abbea219376204ce922762129849da67122a4738 100644
--- a/interface/web/mailuser/mail_user_spamfilter_edit.php
+++ b/interface/web/mailuser/mail_user_spamfilter_edit.php
@@ -112,7 +112,7 @@ class page_action extends tform_actions {
global $app, $conf;
$rec = $app->tform->getDataRecord($this->id);
- $app->tpl->setVar("email", $rec['email']);
+ $app->tpl->setVar("email", $rec['email'], true);
// Get the spamfilter policys for the user
$tmp_user = $app->db->queryOneRecord("SELECT policy_id FROM spamfilter_users WHERE email = ?", $rec['email']);
@@ -122,7 +122,7 @@ class page_action extends tform_actions {
if(is_array($policys)) {
foreach( $policys as $p) {
$selected = ($p["id"] == $tmp_user["policy_id"])?'SELECTED':'';
- $policy_select .= "\r\n";
+ $policy_select .= "\r\n";
}
}
$app->tpl->setVar("policy", $policy_select);
diff --git a/interface/web/sites/cron_edit.php b/interface/web/sites/cron_edit.php
index a8326493cad61e5537b3ed134fab4a737c3d8cdd..62f338f33f30f6e60502cd9e02398fb2f7e961e8 100644
--- a/interface/web/sites/cron_edit.php
+++ b/interface/web/sites/cron_edit.php
@@ -73,7 +73,7 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
+ $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/interface/web/sites/database_edit.php b/interface/web/sites/database_edit.php
index 213063ae89bdb70c495e630a345caa52e73987cc..71e5acaf27c120d8d332485e494de8af8fd1689a 100644
--- a/interface/web/sites/database_edit.php
+++ b/interface/web/sites/database_edit.php
@@ -89,7 +89,7 @@ class page_action extends tform_actions {
}
foreach ($tmp as $db_server) {
- $options_db_servers .= '';
+ $options_db_servers .= '';
}
$app->tpl->setVar("server_id", $options_db_servers);
@@ -112,7 +112,7 @@ class page_action extends tform_actions {
}
foreach ($tmp as $db_server) {
- $options_db_servers .= '';
+ $options_db_servers .= '';
}
$app->tpl->setVar("server_id", $options_db_servers);
@@ -143,22 +143,22 @@ class page_action extends tform_actions {
if ($this->dataRecord['database_name'] != ""){
/* REMOVE the restriction */
- $app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix));
+ $app->tpl->setVar("database_name", $app->tools_sites->removePrefix($this->dataRecord['database_name'], $this->dataRecord['database_name_prefix'], $dbname_prefix), true);
}
if($this->dataRecord['database_name'] == "") {
- $app->tpl->setVar("database_name_prefix", $dbname_prefix);
+ $app->tpl->setVar("database_name_prefix", $dbname_prefix, true);
} else {
- $app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']));
+ $app->tpl->setVar("database_name_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_name_prefix'], $dbname_prefix, $global_config['dbname_prefix']), true);
}
if($this->id > 0) {
//* we are editing a existing record
$edit_disabled = @($_SESSION["s"]["user"]["typ"] == 'admin')? 0 : 1; //* admin can change the database-name
$app->tpl->setVar("edit_disabled", $edit_disabled);
- $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
- $app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"]);
- $app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"]);
+ $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
+ $app->tpl->setVar("database_charset_value", $this->dataRecord["database_charset"], true);
+ $app->tpl->setVar("limit_database_quota", $this->dataRecord["database_quota"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/interface/web/sites/database_user_edit.php b/interface/web/sites/database_user_edit.php
index e7bfa611a937be481efde7ae8ba7a8308cbaf01c..07fa1315f062960e5f214aefdaa3eebb19f8837b 100644
--- a/interface/web/sites/database_user_edit.php
+++ b/interface/web/sites/database_user_edit.php
@@ -118,13 +118,13 @@ class page_action extends tform_actions {
if ($this->dataRecord['database_user'] != ""){
/* REMOVE the restriction */
- $app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix));
+ $app->tpl->setVar("database_user", $app->tools_sites->removePrefix($this->dataRecord['database_user'], $this->dataRecord['database_user_prefix'], $dbuser_prefix), true);
}
if($this->dataRecord['database_user'] == "") {
- $app->tpl->setVar("database_user_prefix", $dbuser_prefix);
+ $app->tpl->setVar("database_user_prefix", $dbuser_prefix, true);
} else {
- $app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']));
+ $app->tpl->setVar("database_user_prefix", $app->tools_sites->getPrefix($this->dataRecord['database_user_prefix'], $dbuser_prefix, $global_config['dbuser_prefix']), true);
}
parent::onShowEnd();
diff --git a/interface/web/sites/form/web_childdomain.tform.php b/interface/web/sites/form/web_childdomain.tform.php
index 02480db42879a97058306114b8771f7cdd0ff9b2..6cfaa38c2a5188f1441d8f3db59d44bea4a1f3be 100644
--- a/interface/web/sites/form/web_childdomain.tform.php
+++ b/interface/web/sites/form/web_childdomain.tform.php
@@ -125,7 +125,7 @@ $form["tabs"]['domain'] = array (
'datatype' => 'VARCHAR',
'formtype' => 'TEXT',
'validators' => array ( 0 => array ( 'type' => 'REGEX',
- 'regex' => '@^(([\.]{0})|((ftp|https?)://([-\w\.]+)+(:\d+)?(/([\w/_\.\-\,\+\?\~!:%]*(\?\S+)?)?)?)|(\[scheme\]://([-\w\.]+)+(:\d+)?(/([\w/_\.\-\,\+\?\~!:%]*(\?\S+)?)?)?)|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@',
+ 'regex' => '@^(([\.]{0})|((ftp|https?|\[scheme\])://([-\w\.]+)+(:\d+)?(/([\w/_\.\,\-\+\?\~!:%]*(\?\S+)?)?)?)(?:#\S*)?|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@',
'errmsg'=> 'redirect_error_regex'),
),
'default' => '',
diff --git a/interface/web/sites/form/web_vhost_domain.tform.php b/interface/web/sites/form/web_vhost_domain.tform.php
index 98b006eacfa74aedd5ab328fc287a98954dbbdfe..11132f5469d5c5ebabb2e1e81b95e1de2bb780b0 100644
--- a/interface/web/sites/form/web_vhost_domain.tform.php
+++ b/interface/web/sites/form/web_vhost_domain.tform.php
@@ -396,7 +396,7 @@ $form["tabs"]['redirect'] = array (
'redirect_path' => array (
'datatype' => 'VARCHAR',
'validators' => array ( 0 => array ( 'type' => 'REGEX',
- 'regex' => '@^(([\.]{0})|((ftp|https?)://([-\w\.]+)+(:\d+)?(/([\w/_\.\,\-\+\?\~!:%]*(\?\S+)?)?)?)|(\[scheme\]://([-\w\.]+)+(:\d+)?(/([\w/_\.\-\,\+\?\~!:%]*(\?\S+)?)?)?)|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@',
+ 'regex' => '@^(([\.]{0})|((ftp|https?|\[scheme\])://([-\w\.]+)+(:\d+)?(/([\w/_\.\,\-\+\?\~!:%]*(\?\S+)?)?)?)(?:#\S*)?|(/(?!.*\.\.)[\w/_\.\-]{1,255}/))$@',
'errmsg'=> 'redirect_error_regex'),
),
'formtype' => 'TEXT',
diff --git a/interface/web/sites/ftp_user_edit.php b/interface/web/sites/ftp_user_edit.php
index 9de400ce0392fcff585fe6450621d8c15b6d3d14..7fab1e2273e850d9e59fcb7c48bbd0d4186e1f7a 100644
--- a/interface/web/sites/ftp_user_edit.php
+++ b/interface/web/sites/ftp_user_edit.php
@@ -79,13 +79,13 @@ class page_action extends tform_actions {
if ($this->dataRecord['username'] != ""){
/* REMOVE the restriction */
- $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix));
+ $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $ftpuser_prefix), true);
}
if($this->dataRecord['username'] == "") {
- $app->tpl->setVar("username_prefix", $ftpuser_prefix);
+ $app->tpl->setVar("username_prefix", $ftpuser_prefix, true);
} else {
- $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']));
+ $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $ftpuser_prefix, $global_config['ftpuser_prefix']), true);
}
parent::onShowEnd();
diff --git a/interface/web/sites/shell_user_edit.php b/interface/web/sites/shell_user_edit.php
index 77c4509b44e7e2c56c5ca72d80e16d3d30b2198e..7f74d893fc54cef87bdbdd423ea7ba6be267a89f 100644
--- a/interface/web/sites/shell_user_edit.php
+++ b/interface/web/sites/shell_user_edit.php
@@ -79,19 +79,19 @@ class page_action extends tform_actions {
if ($this->dataRecord['username'] != ""){
/* REMOVE the restriction */
- $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix));
+ $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $shelluser_prefix), true);
}
if($this->dataRecord['username'] == "") {
- $app->tpl->setVar("username_prefix", $shelluser_prefix);
+ $app->tpl->setVar("username_prefix", $shelluser_prefix, true);
} else {
- $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']));
+ $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $shelluser_prefix, $global_config['shelluser_prefix']), true);
}
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
+ $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/interface/web/sites/web_childdomain_edit.php b/interface/web/sites/web_childdomain_edit.php
index 6ef98f901fb864083d41b9feb64bd102edab4f67..2da58a4661c4342dfe92402dc6c23aace687ae91 100644
--- a/interface/web/sites/web_childdomain_edit.php
+++ b/interface/web/sites/web_childdomain_edit.php
@@ -87,7 +87,7 @@ class page_action extends tform_actions {
}
}
- $app->tpl->setVar('childdomain_type', $this->_childdomain_type);
+ $app->tpl->setVar('childdomain_type', $this->_childdomain_type, true);
parent::onShowNew();
}
@@ -118,7 +118,7 @@ class page_action extends tform_actions {
} elseif($this->_childdomain_type == 'aliasdomain' && $domain['domain'] == $this->dataRecord["domain"]) {
$domain_select .= " selected";
}
- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n";
+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n";
}
}
else {
@@ -144,7 +144,7 @@ class page_action extends tform_actions {
$this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]);
}
}
- if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"]);
+ if($this->_childdomain_type == 'subdomain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true);
$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
if($_SESSION["s"]["user"]["typ"] != 'admin' && !$app->auth->has_clients($_SESSION['s']['user']['userid'])) {
@@ -159,7 +159,7 @@ class page_action extends tform_actions {
$proxy_directive_snippets_txt = '';
if(is_array($proxy_directive_snippets) && !empty($proxy_directive_snippets)){
foreach($proxy_directive_snippets as $proxy_directive_snippet){
- $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']'.$proxy_directive_snippet['snippet'].'
';
+ $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']'.$app->functions->htmlentities($proxy_directive_snippet['snippet']).'
';
}
}
if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------';
@@ -167,7 +167,7 @@ class page_action extends tform_actions {
$app->tpl->setVar('limit_ssl_letsencrypt', 'y');
}
- $app->tpl->setVar('childdomain_type', $this->_childdomain_type);
+ $app->tpl->setVar('childdomain_type', $this->_childdomain_type, true);
parent::onShowEnd();
diff --git a/interface/web/sites/web_childdomain_list.php b/interface/web/sites/web_childdomain_list.php
index a4e953c07e99115de6a14da7952e14d8e42fed66..f445c4b50bf826e2c72a327488e423ad0fc69f48 100644
--- a/interface/web/sites/web_childdomain_list.php
+++ b/interface/web/sites/web_childdomain_list.php
@@ -56,7 +56,7 @@ $_SESSION['s']['var']['childdomain_type'] = $show_type;
class list_action extends listform_actions {
function onShow() {
global $app;
- $app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type']);
+ $app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type'], true);
parent::onShow();
}
diff --git a/interface/web/sites/web_vhost_domain_edit.php b/interface/web/sites/web_vhost_domain_edit.php
index 023f8db0c52938f467b5c3eb5c8ba6d61e9420c5..52771819c34c2f275e1ce69b689bcf1bd8a4aeb4 100644
--- a/interface/web/sites/web_vhost_domain_edit.php
+++ b/interface/web/sites/web_vhost_domain_edit.php
@@ -115,7 +115,7 @@ class page_action extends tform_actions {
$client = $app->db->queryOneRecord("SELECT client.web_servers FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
$web_servers = explode(',', $client['web_servers']);
$server_id = $web_servers[0];
- $app->tpl->setVar("server_id_value", $server_id);
+ $app->tpl->setVar("server_id_value", $server_id, true);
unset($web_servers);
} else {
$settings = $app->getconf->get_global_config('sites');
@@ -130,7 +130,7 @@ class page_action extends tform_actions {
$app->tform->formDef['tabs']['domain']['fields']['php']['default'] = $web_config['php_handler'];
$app->tform->formDef['tabs']['domain']['readonly'] = false;
- $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type);
+ $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type, true);
parent::onShowNew();
}
@@ -179,7 +179,7 @@ class page_action extends tform_actions {
$options_web_servers = "";
foreach ($web_servers as $web_server) {
- $options_web_servers .= '';
+ $options_web_servers .= '';
}
$app->tpl->setVar("server_id", $options_web_servers);
@@ -214,7 +214,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
$app->tpl->setVar("ip_address", $ip_select);
@@ -230,7 +230,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
$app->tpl->setVar("ipv6_address", $ip_select);
@@ -266,7 +266,7 @@ class page_action extends tform_actions {
$php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir'];
}
$selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':'';
- $php_select .= "\r\n";
+ $php_select .= "\r\n";
}
}
$app->tpl->setVar("fastcgi_php_version", $php_select);
@@ -306,7 +306,7 @@ class page_action extends tform_actions {
$options_web_servers = "";
foreach ($web_servers as $web_server) {
- $options_web_servers .= '';
+ $options_web_servers .= '';
}
$app->tpl->setVar("server_id", $options_web_servers);
@@ -361,7 +361,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
$app->tpl->setVar("ip_address", $ip_select);
@@ -376,7 +376,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
$app->tpl->setVar("ipv6_address", $ip_select);
@@ -413,7 +413,7 @@ class page_action extends tform_actions {
$php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir'];
}
$selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':'';
- $php_select .= "\r\n";
+ $php_select .= "\r\n";
}
}
$app->tpl->setVar("fastcgi_php_version", $php_select);
@@ -441,7 +441,7 @@ class page_action extends tform_actions {
$php_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($php_directive_snippets as $php_directive_snippet){
$php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL;
- $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']'.htmlentities($php_directive_snippet['snippet']).'
';
+ $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']'.$app->functions->htmlentities($php_directive_snippet['snippet']).'
';
}
}
if($php_directive_snippets_txt == '') $php_directive_snippets_txt = '------';
@@ -464,7 +464,7 @@ class page_action extends tform_actions {
$apache_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($apache_directive_snippets as $apache_directive_snippet){
$apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL;
- $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']'.htmlentities($apache_directive_snippet['snippet']).'
';
+ $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']'.$app->functions->htmlentities($apache_directive_snippet['snippet']).'
';
}
}
if($apache_directive_snippets_txt == '') $apache_directive_snippets_txt = '------';
@@ -478,7 +478,7 @@ class page_action extends tform_actions {
$nginx_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
';
foreach($nginx_directive_snippets as $nginx_directive_snippet){
$nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL;
- $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']'.htmlentities($nginx_directive_snippet['snippet']).'
';
+ $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']'.$app->functions->htmlentities($nginx_directive_snippet['snippet']).'
';
}
$nginx_directive_snippets_txt .= '
';
}
@@ -488,7 +488,7 @@ class page_action extends tform_actions {
$nginx_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($nginx_directive_snippets as $nginx_directive_snippet){
$nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL;
- $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']'.htmlentities($nginx_directive_snippet['snippet']).'
';
+ $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']'.$app->functions->htmlentities($nginx_directive_snippet['snippet']).'
';
}
}
if($nginx_directive_snippets_txt == '') $nginx_directive_snippets_txt = '------';
@@ -501,7 +501,7 @@ class page_action extends tform_actions {
$proxy_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
';
foreach($proxy_directive_snippets as $proxy_directive_snippet){
$proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL;
- $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']'.htmlentities($proxy_directive_snippet['snippet']).'
';
+ $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']'.$app->functions->htmlentities($proxy_directive_snippet['snippet']).'
';
}
$proxy_directive_snippets_txt .= '
';
}
@@ -511,7 +511,7 @@ class page_action extends tform_actions {
$proxy_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($proxy_directive_snippets as $proxy_directive_snippet){
$proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL;
- $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']'.htmlentities($proxy_directive_snippet['snippet']).'
';
+ $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']'.$app->functions->htmlentities($proxy_directive_snippet['snippet']).'
';
}
}
if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------';
@@ -557,7 +557,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
$app->tpl->setVar("ip_address", $ip_select);
@@ -572,7 +572,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip["ip_address"] == $this->dataRecord["ipv6_address"])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
$app->tpl->setVar("ipv6_address", $ip_select);
@@ -633,7 +633,7 @@ class page_action extends tform_actions {
$php_version = $php_record['name'].':'.$php_record['php_fastcgi_binary'].':'.$php_record['php_fastcgi_ini_dir'];
}
$selected = ($php_version == $this->dataRecord["fastcgi_php_version"])?'SELECTED':'';
- $php_select .= "\r\n";
+ $php_select .= "\r\n";
}
}
$app->tpl->setVar("fastcgi_php_version", $php_select);
@@ -648,7 +648,7 @@ class page_action extends tform_actions {
$php_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
';
foreach($php_directive_snippets as $php_directive_snippet){
$php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL;
- $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']'.htmlentities($php_directive_snippet['snippet']).'
';
+ $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']'.$app->functions->htmlentities($php_directive_snippet['snippet']).'
';
}
$php_directive_snippets_txt .= '
';
}
@@ -658,7 +658,7 @@ class page_action extends tform_actions {
$php_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($php_directive_snippets as $php_directive_snippet){
$php_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $php_directive_snippet['snippet'] . PHP_EOL;
- $php_directive_snippets_txt .= '['.$php_directive_snippet['name'].']'.htmlentities($php_directive_snippet['snippet']).'
';
+ $php_directive_snippets_txt .= '['.$app->functions->htmlentities($php_directive_snippet['name']).']'.$app->functions->htmlentities($php_directive_snippet['snippet']).'
';
}
}
if($php_directive_snippets_txt == '') $php_directive_snippets_txt = '------';
@@ -671,7 +671,7 @@ class page_action extends tform_actions {
$apache_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
';
foreach($apache_directive_snippets as $apache_directive_snippet){
$apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL;
- $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']'.htmlentities($apache_directive_snippet['snippet']).'
';
+ $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']'.$app->functions->htmlentities($apache_directive_snippet['snippet']).'
';
}
$apache_directive_snippets_txt .= '
';
}
@@ -681,7 +681,7 @@ class page_action extends tform_actions {
$apache_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($apache_directive_snippets as $apache_directive_snippet){
$apache_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $apache_directive_snippet['snippet'] . PHP_EOL;
- $apache_directive_snippets_txt .= '['.$apache_directive_snippet['name'].']'.htmlentities($apache_directive_snippet['snippet']).'
';
+ $apache_directive_snippets_txt .= '['.$app->functions->htmlentities($apache_directive_snippet['name']).']'.$app->functions->htmlentities($apache_directive_snippet['snippet']).'
';
}
}
if($apache_directive_snippets_txt == '') $apache_directive_snippets_txt = '------';
@@ -695,7 +695,7 @@ class page_action extends tform_actions {
$nginx_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
';
foreach($nginx_directive_snippets as $nginx_directive_snippet){
$nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL;
- $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']'.htmlentities($nginx_directive_snippet['snippet']).'
';
+ $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']'.$app->functions->htmlentities($nginx_directive_snippet['snippet']).'
';
}
$nginx_directive_snippets_txt .= '
';
}
@@ -705,7 +705,7 @@ class page_action extends tform_actions {
$nginx_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($nginx_directive_snippets as $nginx_directive_snippet){
$nginx_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $nginx_directive_snippet['snippet'] . PHP_EOL;
- $nginx_directive_snippets_txt .= '['.$nginx_directive_snippet['name'].']'.htmlentities($nginx_directive_snippet['snippet']).'
';
+ $nginx_directive_snippets_txt .= '['.$app->functions->htmlentities($nginx_directive_snippet['name']).']'.$app->functions->htmlentities($nginx_directive_snippet['snippet']).'
';
}
}
if($nginx_directive_snippets_txt == '') $nginx_directive_snippets_txt = '------';
@@ -718,7 +718,7 @@ class page_action extends tform_actions {
$proxy_directive_snippets_txt .= $app->tform->wordbook["select_master_directive_snippet_txt"].'
';
foreach($proxy_directive_snippets as $proxy_directive_snippet){
$proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL;
- $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']'.htmlentities($proxy_directive_snippet['snippet']).'
';
+ $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']'.$app->functions->htmlentities($proxy_directive_snippet['snippet']).'
';
}
$proxy_directive_snippets_txt .= '
';
}
@@ -728,7 +728,7 @@ class page_action extends tform_actions {
$proxy_directive_snippets_txt .= $app->tform->wordbook["select_directive_snippet_txt"].'
';
foreach($proxy_directive_snippets as $proxy_directive_snippet){
$proxy_directive_snippet['snippet'] = PHP_EOL . PHP_EOL . $proxy_directive_snippet['snippet'] . PHP_EOL;
- $proxy_directive_snippets_txt .= '['.$proxy_directive_snippet['name'].']'.htmlentities($proxy_directive_snippet['snippet']).'
';
+ $proxy_directive_snippets_txt .= '['.$app->functions->htmlentities($proxy_directive_snippet['name']).']'.$app->functions->htmlentities($proxy_directive_snippet['snippet']).'
';
}
}
if($proxy_directive_snippets_txt == '') $proxy_directive_snippets_txt = '------';
@@ -748,7 +748,7 @@ class page_action extends tform_actions {
if(is_array($ssl_domains)) {
foreach( $ssl_domains as $ssl_domain) {
$selected = ($ssl_domain == $this->dataRecord['ssl_domain'])?'SELECTED':'';
- $ssl_domain_select .= "\r\n";
+ $ssl_domain_select .= "\r\n";
}
}
$app->tpl->setVar("ssl_domain", $ssl_domain_select);
@@ -761,8 +761,8 @@ class page_action extends tform_actions {
$app->tpl->setVar("edit_disabled", 1);
$app->tpl->setVar('fixed_folder', 'y');
if($this->_vhostdomain_type == 'domain') {
- $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
- $app->tpl->setVar("document_root", $this->dataRecord["document_root"]);
+ $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
+ $app->tpl->setVar("document_root", $this->dataRecord["document_root"], true);
}
else $app->tpl->setVar('server_id_value', $parent_domain['server_id']);
} else {
@@ -798,7 +798,7 @@ class page_action extends tform_actions {
} elseif($this->_vhostdomain_type == 'domain' && $domain['domain'] == $this->dataRecord["domain"]) {
$domain_select .= " selected";
}
- $domain_select .= ">" . $app->functions->idn_decode($domain['domain']) . "\r\n";
+ $domain_select .= ">" . $app->functions->htmlentities($app->functions->idn_decode($domain['domain'])) . "\r\n";
}
}
else {
@@ -820,20 +820,20 @@ class page_action extends tform_actions {
if($this->dataRecord["type"] == 'vhostsubdomain') $this->dataRecord["domain"] = str_replace('.'.$parent_domain["domain"], '', $this->dataRecord["domain"]);
}
- if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"]);
+ if($this->_vhostdomain_type != 'domain') $app->tpl->setVar("domain", $this->dataRecord["domain"], true);
// check for configuration errors in sys_datalog
if($this->id > 0) {
$datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'web_domain' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'domain_id:' . $this->id);
if(is_array($datalog) && !empty($datalog)){
if(trim($datalog['error']) != ''){
- $app->tpl->setVar("config_error_msg", nl2br(htmlentities($datalog['error'])));
+ $app->tpl->setVar("config_error_msg", nl2br($app->functions->htmlentities($datalog['error'])));
$app->tpl->setVar("config_error_tstamp", date($app->lng('conf_format_datetime'), $datalog['tstamp']));
}
}
}
- $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type);
+ $app->tpl->setVar('vhostdomain_type', $this->_vhostdomain_type, true);
$app->tpl->setVar('is_spdy_enabled', ($web_config['enable_spdy'] === 'y'));
$app->tpl->setVar("is_admin", $is_admin);
@@ -859,7 +859,7 @@ class page_action extends tform_actions {
if(is_array($m_directive_snippets) && !empty($m_directive_snippets)){
$directive_snippets_id_select .= '';
}
@@ -868,7 +868,7 @@ class page_action extends tform_actions {
if(is_array($directive_snippets) && !empty($directive_snippets)){
$directive_snippets_id_select .= '';
}
diff --git a/interface/web/sites/web_vhost_domain_list.php b/interface/web/sites/web_vhost_domain_list.php
index 378eeaaf6a2bfa3acaf44e4325ba428162082a86..b74fd644f70bd42fadb6fcec7b38389e9c83d777 100644
--- a/interface/web/sites/web_vhost_domain_list.php
+++ b/interface/web/sites/web_vhost_domain_list.php
@@ -68,7 +68,7 @@ $_SESSION['s']['var']['vhostdomain_type'] = $show_type;
class list_action extends listform_actions {
function onShow() {
global $app;
- $app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type']);
+ $app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type'], true);
parent::onShow();
}
diff --git a/interface/web/sites/webdav_user_edit.php b/interface/web/sites/webdav_user_edit.php
index 73e47eb7a98d5ef6e847614384eb9df1d11aea38..e02e0bdaff10e56bb3ac4a41d615a4b53b6ce79b 100644
--- a/interface/web/sites/webdav_user_edit.php
+++ b/interface/web/sites/webdav_user_edit.php
@@ -78,19 +78,19 @@ class page_action extends tform_actions {
if ($this->dataRecord['username'] != "") {
/* REMOVE the restriction */
- $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix));
+ $app->tpl->setVar("username", $app->tools_sites->removePrefix($this->dataRecord['username'], $this->dataRecord['username_prefix'], $webdavuser_prefix), true);
}
if($this->dataRecord['username'] == "") {
- $app->tpl->setVar("username_prefix", $webdavuser_prefix);
+ $app->tpl->setVar("username_prefix", $webdavuser_prefix, true);
} else {
- $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']));
+ $app->tpl->setVar("username_prefix", $app->tools_sites->getPrefix($this->dataRecord['username_prefix'], $webdavuser_prefix, $global_config['webdavuser_prefix']), true);
}
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"]);
+ $app->tpl->setVar("parent_domain_id_value", $this->dataRecord["parent_domain_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/interface/web/tools/dns_import_tupa.php b/interface/web/tools/dns_import_tupa.php
index 849a097680f74a6f7bd68584340f3fc4c76fa1f0..12bd03529673c39a8b5d9979e2f4cf4bc6a84111 100644
--- a/interface/web/tools/dns_import_tupa.php
+++ b/interface/web/tools/dns_import_tupa.php
@@ -50,10 +50,10 @@ if(isset($_POST['start']) && $_POST['start'] == 1) {
$app->auth->csrf_token_check();
//* Set variable sin template
- $app->tpl->setVar('dbhost', $_POST['dbhost']);
- $app->tpl->setVar('dbname', $_POST['dbname']);
- $app->tpl->setVar('dbuser', $_POST['dbuser']);
- $app->tpl->setVar('dbpassword', $_POST['dbpassword']);
+ $app->tpl->setVar('dbhost', $_POST['dbhost'], true);
+ $app->tpl->setVar('dbname', $_POST['dbname'], true);
+ $app->tpl->setVar('dbuser', $_POST['dbuser'], true);
+ $app->tpl->setVar('dbpassword', $_POST['dbpassword'], true);
//* Establish connection to external database
$msg .= 'Connecting to external database...
';
diff --git a/interface/web/tools/import_ispconfig.php b/interface/web/tools/import_ispconfig.php
index c43b15b7eb0ef286ff5d66ab8220f1e1d91bb2c1..0e7763dd98d15a79f660e0ade9f03b89f3a4b9bf 100644
--- a/interface/web/tools/import_ispconfig.php
+++ b/interface/web/tools/import_ispconfig.php
@@ -142,9 +142,9 @@ if(isset($_POST['connected'])) {
}
-$app->tpl->setVar('remote_server', $_POST['remote_server']);
-$app->tpl->setVar('remote_user', $_POST['remote_user']);
-$app->tpl->setVar('remote_password', $_POST['remote_password']);
+$app->tpl->setVar('remote_server', $_POST['remote_server'], true);
+$app->tpl->setVar('remote_user', $_POST['remote_user'], true);
+$app->tpl->setVar('remote_password', $_POST['remote_password'], true);
$app->tpl->setVar('connected', $connected);
$app->tpl->setVar('remote_session_id', $remote_session_id);
$app->tpl->setVar('msg', $msg);
diff --git a/interface/web/tools/import_vpopmail.php b/interface/web/tools/import_vpopmail.php
index 9e560cdf30455be6c9e3459aec98334cfa3a7a54..3ef87710e593cb37c6980e5cfa4e16c54052dc3d 100644
--- a/interface/web/tools/import_vpopmail.php
+++ b/interface/web/tools/import_vpopmail.php
@@ -84,11 +84,11 @@ if(isset($_POST['db_hostname']) && $_POST['db_hostname'] != '') {
$_POST['local_server_id'] = 1;
}
-$app->tpl->setVar('db_hostname', $_POST['db_hostname']);
-$app->tpl->setVar('db_user', $_POST['db_user']);
-$app->tpl->setVar('db_password', $_POST['db_password']);
-$app->tpl->setVar('db_name', $_POST['db_name']);
-$app->tpl->setVar('local_server_id', $_POST['local_server_id']);
+$app->tpl->setVar('db_hostname', $_POST['db_hostname'], true);
+$app->tpl->setVar('db_user', $_POST['db_user'], true);
+$app->tpl->setVar('db_password', $_POST['db_password'], true);
+$app->tpl->setVar('db_name', $_POST['db_name'], true);
+$app->tpl->setVar('local_server_id', $_POST['local_server_id'], true);
$app->tpl->setVar('msg', $msg);
$app->tpl->setVar('error', $error);
diff --git a/interface/web/vm/openvz_vm_edit.php b/interface/web/vm/openvz_vm_edit.php
index 2a5b12f3d712886143a05b65acdfbed536afcad1..4dd1a551deff4e8cb40c7f2cb23200acbc93627e 100644
--- a/interface/web/vm/openvz_vm_edit.php
+++ b/interface/web/vm/openvz_vm_edit.php
@@ -86,7 +86,7 @@ class page_action extends tform_actions {
if(is_array($records)) {
foreach( $records as $rec) {
$selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':'';
- $template_id_select .= "\r\n";
+ $template_id_select .= "\r\n";
}
}
$app->tpl->setVar("template_id_select", $template_id_select);
@@ -109,7 +109,7 @@ class page_action extends tform_actions {
if(is_array($records)) {
foreach( $records as $rec) {
$selected = @(is_array($this->dataRecord) && ($client["groupid"] == $this->dataRecord['client_group_id'] || $client["groupid"] == $this->dataRecord['sys_groupid']))?'SELECTED':'';
- $client_select .= "\r\n";
+ $client_select .= "\r\n";
}
}
$app->tpl->setVar("client_group_id", $client_select);
@@ -124,7 +124,7 @@ class page_action extends tform_actions {
if(is_array($records)) {
foreach( $records as $rec) {
$selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':'';
- $template_id_select .= "\r\n";
+ $template_id_select .= "\r\n";
}
}
$app->tpl->setVar("template_id_select", $template_id_select);
@@ -141,7 +141,7 @@ class page_action extends tform_actions {
if(is_array($clients)) {
foreach( $clients as $client) {
$selected = @(is_array($this->dataRecord) && ($client["groupid"] == $this->dataRecord['client_group_id'] || $client["groupid"] == $this->dataRecord['sys_groupid']))?'SELECTED':'';
- $client_select .= "\r\n";
+ $client_select .= "\r\n";
}
}
$app->tpl->setVar("client_group_id", $client_select);
@@ -153,7 +153,7 @@ class page_action extends tform_actions {
$template_id_select='';
foreach( $records as $rec) {
$selected = @($rec["template_id"] == $this->dataRecord["template_id"])?'SELECTED':'';
- $template_id_select .= "\r\n";
+ $template_id_select .= "\r\n";
}
}
$app->tpl->setVar("template_id_select", $template_id_select);
@@ -175,7 +175,7 @@ class page_action extends tform_actions {
if(is_array($ips)) {
foreach( $ips as $ip) {
$selected = ($ip["ip_address"] == $this->dataRecord["ip_address"])?'SELECTED':'';
- $ip_select .= "\r\n";
+ $ip_select .= "\r\n";
}
}
$app->tpl->setVar("ip_address", $ip_select);
@@ -188,7 +188,7 @@ class page_action extends tform_actions {
foreach ($additional_ips as $idx => $rec) {
$temp .= "";
$used = @($rec['additional']=='y')?'CHECKED':'';
- $temp .= " ".$rec['ip_address']."
";
+ $temp .= " ".$app->functions->htmlentities($rec['ip_address'])."
";
}
$app->tpl->setVar("additional_ip", $temp);
unset($used);
@@ -198,8 +198,8 @@ class page_action extends tform_actions {
if($this->id > 0) {
//* we are editing a existing record
$app->tpl->setVar("edit_disabled", 1);
- $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
- $app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"]);
+ $app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
+ $app->tpl->setVar("ostemplate_id_value", $this->dataRecord["ostemplate_id"], true);
} else {
$app->tpl->setVar("edit_disabled", 0);
}
diff --git a/security/security_settings.ini b/security/security_settings.ini
index eb78e24d53d5ef1cce7d3d4176843bfcfafc66fd..d7b65ba48ec23aac32b1d6296f66962ea3ae662e 100644
--- a/security/security_settings.ini
+++ b/security/security_settings.ini
@@ -19,10 +19,18 @@ password_reset_allowed=yes
session_regenerate_id=yes
[ids]
-ids_enabled=no
-ids_log_level=1
-ids_warn_level=5
-ids_block_level=100
+ids_anon_enabled=yes
+ids_anon_log_level=1
+ids_anon_warn_level=5
+ids_anon_block_level=20
+ids_user_enabled=yes
+ids_user_log_level=1
+ids_user_warn_level=10
+ids_user_block_level=25
+ids_admin_enabled=no
+ids_admin_log_level=1
+ids_admin_warn_level=5
+ids_admin_block_level=100
sql_scan_enabled=yes
sql_scan_action=warn
apache_directives_scan_enabled=yes
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index 063b5c7e3390666fb569578f97ec5448e9b38b35..6a026d447a6862984e56b8471eb32d09a8d2ae65 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -182,6 +182,13 @@
+
+
+ SetHandler mod_python
+
+ PythonHandler mod_python.publisher
+ PythonDebug On
+
SetHandler mod_python
diff --git a/server/plugins-available/apache2_plugin.inc.php b/server/plugins-available/apache2_plugin.inc.php
index 1a802bcf96dd8078f62c7df8032dd5dc49e3da90..37b903daf06dbc58ff1438014ad52f141b6fe764 100644
--- a/server/plugins-available/apache2_plugin.inc.php
+++ b/server/plugins-available/apache2_plugin.inc.php
@@ -457,11 +457,11 @@ class apache2_plugin {
$app->system->unlink($crt_file);
$app->system->unlink($bundle_file);
/* Update the DB of the (local) Server */
- $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']);
- $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
+ $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
+ $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
/* Update also the master-DB of the Server-Farm */
- $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']);
- $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
+ $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
+ $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
$app->log('Deleting SSL Cert for: '.$domain, LOGLEVEL_DEBUG);
}
@@ -681,10 +681,10 @@ class apache2_plugin {
$fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind';
if($web_config['network_filesystem'] == 'y') {
- $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait,_netdev 0 0';
+ $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail,_netdev 0 0';
$app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);
} else {
- $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait 0 0';
+ $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail 0 0';
$app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);
}
diff --git a/server/plugins-available/nginx_plugin.inc.php b/server/plugins-available/nginx_plugin.inc.php
index daf953e2650063799c2f52e6642ab9c90183c06e..8335ce2e3f6e26c75bdbf72d4f725666c30959b9 100644
--- a/server/plugins-available/nginx_plugin.inc.php
+++ b/server/plugins-available/nginx_plugin.inc.php
@@ -289,11 +289,11 @@ class nginx_plugin {
$app->system->unlink($csr_file);
$app->system->unlink($crt_file);
/* Update the DB of the (local) Server */
- $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']);
- $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
+ $app->db->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
+ $app->db->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
/* Update also the master-DB of the Server-Farm */
- $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ?", $data['new']['domain']);
- $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ?", $data['new']['domain']);
+ $app->dbmaster->query("UPDATE web_domain SET ssl_request = '', ssl_cert = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
+ $app->dbmaster->query("UPDATE web_domain SET ssl_action = '' WHERE domain = ? AND server_id = ?", $data['new']['domain'], $data['new']['server_id']);
$app->log('Deleting SSL Cert for: '.$domain, LOGLEVEL_DEBUG);
}
@@ -528,10 +528,10 @@ class nginx_plugin {
$fstab_line_old = '/var/log/ispconfig/httpd/'.$data['old']['domain'].' '.$data['old']['document_root'].'/'.$old_log_folder.' none bind';
if($web_config['network_filesystem'] == 'y') {
- $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait,_netdev 0 0';
+ $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail,_netdev 0 0';
$app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);
} else {
- $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nobootwait 0 0';
+ $fstab_line = '/var/log/ispconfig/httpd/'.$data['new']['domain'].' '.$data['new']['document_root'].'/'.$log_folder.' none bind,nofail 0 0';
$app->system->replaceLine('/etc/fstab', $fstab_line_old, $fstab_line, 0, 1);
}
diff --git a/server/plugins-available/shelluser_base_plugin.inc.php b/server/plugins-available/shelluser_base_plugin.inc.php
index 74c6fa364f77611c77096ef7b53570690e1c00c1..9c4568901deef3e73b8051929ca94247070e6fd2 100755
--- a/server/plugins-available/shelluser_base_plugin.inc.php
+++ b/server/plugins-available/shelluser_base_plugin.inc.php
@@ -226,6 +226,9 @@ class shelluser_base_plugin {
$homedir_old = $data['old']['dir'].'/home/'.$data['old']['username'];
}
+ $app->log("Homedir New: ".$homedir, LOGLEVEL_DEBUG);
+ $app->log("Homedir Old: ".$homedir_old, LOGLEVEL_DEBUG);
+
// Check if the user that we want to update exists, if not, we insert it
if($app->system->is_user($data['old']['username'])) {
//* Remove webfolder protection
@@ -246,16 +249,27 @@ class shelluser_base_plugin {
$app->log("Executed command: $command ",LOGLEVEL_DEBUG);
*/
//$groupinfo = $app->system->posix_getgrnam($data['new']['pgroup']);
- if($homedir != $homedir_old && !is_dir($homedir)){
+ if($homedir != $homedir_old){
$app->system->web_folder_protection($web['document_root'], false);
- if(!is_dir($data['new']['dir'].'/home')){
+ // Rename dir, in case the new directory exists already.
+ if(is_dir($homedir)) {
+ $app->log("New Homedir exists, renaming it to ".$homedir.'_bak', LOGLEVEL_DEBUG);
+ $app->system->rename(escapeshellcmd($homedir),escapeshellcmd($homedir.'_bak'));
+ }
+ /*if(!is_dir($data['new']['dir'].'/home')){
$app->file->mkdirs(escapeshellcmd($data['new']['dir'].'/home'), '0750');
$app->system->chown(escapeshellcmd($data['new']['dir'].'/home'),escapeshellcmd($data['new']['puser']));
$app->system->chgrp(escapeshellcmd($data['new']['dir'].'/home'),escapeshellcmd($data['new']['pgroup']));
}
$app->file->mkdirs(escapeshellcmd($homedir), '0755');
$app->system->chown(escapeshellcmd($homedir),'root');
- $app->system->chgrp(escapeshellcmd($homedir),'root');
+ $app->system->chgrp(escapeshellcmd($homedir),'root');*/
+
+ // Move old directory to new path
+ $app->system->rename(escapeshellcmd($homedir_old),escapeshellcmd($homedir));
+ $app->file->mkdirs(escapeshellcmd($homedir), '0750');
+ $app->system->chown(escapeshellcmd($homedir),escapeshellcmd($data['new']['puser']));
+ $app->system->chgrp(escapeshellcmd($homedir),escapeshellcmd($data['new']['pgroup']));
$app->system->web_folder_protection($web['document_root'], true);
} else {
if(!is_dir($homedir)){
diff --git a/server/plugins-available/shelluser_jailkit_plugin.inc.php b/server/plugins-available/shelluser_jailkit_plugin.inc.php
index 69a041c037e4c2f96907ae2bd58b3ff8c09ee287..295112d4230e1f77ad55b862b78f5bba577d6506 100755
--- a/server/plugins-available/shelluser_jailkit_plugin.inc.php
+++ b/server/plugins-available/shelluser_jailkit_plugin.inc.php
@@ -350,6 +350,11 @@ class shelluser_jailkit_plugin {
//add the user to the chroot
$jailkit_chroot_userhome = $this->_get_home_dir($this->data['new']['username']);
+ if(isset($this->data['old']['username'])) {
+ $jailkit_chroot_userhome_old = $this->_get_home_dir($this->data['old']['username']);
+ } else {
+ $jailkit_chroot_userhome_old = '';
+ }
$jailkit_chroot_puserhome = $this->_get_home_dir($this->data['new']['puser']);
if(!is_dir($this->data['new']['dir'].'/etc')) mkdir($this->data['new']['dir'].'/etc', 0755);
@@ -398,13 +403,19 @@ class shelluser_jailkit_plugin {
$this->app->log("Added jailkit user to chroot with command: ".$command, LOGLEVEL_DEBUG);
- if(!is_dir($this->data['new']['dir'].$jailkit_chroot_userhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), 0755, true);
+ if(!is_dir($this->data['new']['dir'].$jailkit_chroot_userhome)) {
+ if(is_dir($this->data['old']['dir'].$jailkit_chroot_userhome_old)) {
+ $app->system->rename(escapeshellcmd($this->data['old']['dir'].$jailkit_chroot_userhome_old),escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome));
+ } else {
+ mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), 0750, true);
+ }
+ }
$app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['username']);
$app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_userhome), $this->data['new']['pgroup']);
$this->app->log("Added created jailkit user home in : ".$this->data['new']['dir'].$jailkit_chroot_userhome, LOGLEVEL_DEBUG);
- if(!is_dir($this->data['new']['dir'].$jailkit_chroot_puserhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), 0755, true);
+ if(!is_dir($this->data['new']['dir'].$jailkit_chroot_puserhome)) mkdir(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), 0750, true);
$app->system->chown(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['puser']);
$app->system->chgrp(escapeshellcmd($this->data['new']['dir'].$jailkit_chroot_puserhome), $this->data['new']['pgroup']);