diff --git a/alerts.php b/alerts.php index 6d791d213..1035214c0 100755 --- a/alerts.php +++ b/alerts.php @@ -182,7 +182,7 @@ function RunFollowUp() { } $alert['details'] = json_decode(gzuncompress($alert['details']), true); - $rextra = json_decode($alert['extra'], true); + $rextra = json_decode(htmlspecialchars_decode($alert['extra']), true); if ($rextra['invert']) { continue; } @@ -237,7 +237,7 @@ function RunAlerts() { $noiss = false; $noacc = false; $updet = false; - $rextra = json_decode($alert['extra'], true); + $rextra = json_decode(htmlspecialchars_decode($alert['extra']), true); $chk = dbFetchRow('SELECT alerts.alerted,devices.ignore,devices.disabled FROM alerts,devices WHERE alerts.device_id = ? && devices.device_id = alerts.device_id && alerts.rule_id = ?', array($alert['device_id'], $alert['rule_id'])); if ($chk['alerted'] == $alert['state']) { $noiss = true; diff --git a/html/ajax_dash.php b/html/ajax_dash.php index 0ffc58067..e5622c732 100644 --- a/html/ajax_dash.php +++ b/html/ajax_dash.php @@ -39,7 +39,7 @@ elseif (is_file('includes/common/'.$type.'.inc.php')) { $title = ucfirst($type); $unique_id = str_replace(array("-","."),"_",uniqid($type,true)); $widget_id = mres($_POST['id']); - $widget_settings = json_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?',array($widget_id)),true); + $widget_settings = json_decode(htmlspecialchars_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?',array($widget_id))),true); $widget_dimensions = $_POST['dimensions']; if( !empty($_POST['settings']) ) { define('show_settings',true); diff --git a/html/includes/dev-overview-data.inc.php b/html/includes/dev-overview-data.inc.php index 04c4de3dd..defeb6d44 100644 --- a/html/includes/dev-overview-data.inc.php +++ b/html/includes/dev-overview-data.inc.php @@ -68,14 +68,14 @@ if ($device['sysContact']) { Contact'; if (get_dev_attrib($device, 'override_sysContact_bool')) { echo ' - '.htmlspecialchars(get_dev_attrib($device, 'override_sysContact_string')).' + '.get_dev_attrib($device, 'override_sysContact_string').' SNMP Contact'; } echo ' - '.htmlspecialchars($device['sysContact']).' + '.$device['sysContact'].' '; } diff --git a/html/includes/print-alert-rules.php b/html/includes/print-alert-rules.php index eac1ae6fd..4a198d9a1 100644 --- a/html/includes/print-alert-rules.php +++ b/html/includes/print-alert-rules.php @@ -205,7 +205,7 @@ foreach (dbFetchRows($full_query, $param) as $rule) { echo 'Inverted '; } - echo ''.htmlentities($rule['rule']).''; + echo ''.$rule['rule'].''; echo ''.$rule['severity'].''; echo " "; if ($rule_extra['mute'] === true) { diff --git a/html/includes/print-alerts.inc.php b/html/includes/print-alerts.inc.php index d9758a0f3..ac75278fb 100644 --- a/html/includes/print-alerts.inc.php +++ b/html/includes/print-alerts.inc.php @@ -15,7 +15,7 @@ if (!isset($alert_entry['device'])) { '; } -echo ''.htmlspecialchars($alert_entry['name']).''; +echo ''.$alert_entry['name'].''; if ($alert_state != '') { if ($alert_state == '0') { diff --git a/html/includes/print-event-short.inc.php b/html/includes/print-event-short.inc.php index 42fc75768..2c02b7727 100644 --- a/html/includes/print-event-short.inc.php +++ b/html/includes/print-event-short.inc.php @@ -25,6 +25,6 @@ if ($entry['type'] == 'interface') { $entry['link'] = ''.generate_port_link(getifbyid($entry['reference'])).''; } - echo $entry['link'].' '.htmlspecialchars($entry['message']).' + echo $entry['link'].' '.$entry['message'].' '; diff --git a/html/includes/print-event.inc.php b/html/includes/print-event.inc.php index d8afd6bfa..14b6764d8 100644 --- a/html/includes/print-event.inc.php +++ b/html/includes/print-event.inc.php @@ -31,5 +31,5 @@ else { echo ''.$entry['link'].''; -echo ''.htmlspecialchars($entry['message']).' +echo ''.$entry['message'].' '; diff --git a/html/includes/print-syslog.inc.php b/html/includes/print-syslog.inc.php index 0f1c1c669..26a0d5b62 100644 --- a/html/includes/print-syslog.inc.php +++ b/html/includes/print-syslog.inc.php @@ -8,10 +8,10 @@ if (device_permitted($entry['device_id'])) { if ($vars['page'] != 'device') { $syslog_output .= ''.$entry['date'].' '.generate_device_link($entry).' - '.$entry['program'].' : '.htmlspecialchars($entry['msg']).''; + '.$entry['program'].' : '.$entry['msg'].''; } else { - $syslog_output .= ''.$entry['date'].'   '.$entry['program'].'   '.htmlspecialchars($entry['msg']).''; + $syslog_output .= ''.$entry['date'].'   '.$entry['program'].'   '.$entry['msg'].''; } $syslog_output .= ''; diff --git a/html/includes/reports/alert-log.pdf.inc.php b/html/includes/reports/alert-log.pdf.inc.php index d293b474b..13b13526d 100644 --- a/html/includes/reports/alert-log.pdf.inc.php +++ b/html/includes/reports/alert-log.pdf.inc.php @@ -66,7 +66,7 @@ foreach (dbFetchRows($full_query, $param) as $alert_entry) { $data[] = array( $alert_entry['time_logged'], $hostname, - htmlspecialchars($alert_entry['name']), + $alert_entry['name'], $text, ); }//end if diff --git a/html/includes/table/alertlog.inc.php b/html/includes/table/alertlog.inc.php index 8b4d94d3e..3c41acb78 100644 --- a/html/includes/table/alertlog.inc.php +++ b/html/includes/table/alertlog.inc.php @@ -77,7 +77,7 @@ foreach (dbFetchRows($sql, $param) as $alertlog) { 'time_logged' => $alertlog['humandate'], 'details' => '', 'hostname' => '
'.generate_device_link($dev, shorthost($dev['hostname'])).'
'.$fault_detail.'
', - 'alert' => htmlspecialchars($alertlog['alert']), + 'alert' => $alertlog['alert'], 'status' => " $text", ); }//end foreach diff --git a/html/includes/table/eventlog.inc.php b/html/includes/table/eventlog.inc.php index 62edbbefd..6390b0d0f 100644 --- a/html/includes/table/eventlog.inc.php +++ b/html/includes/table/eventlog.inc.php @@ -66,7 +66,7 @@ foreach (dbFetchRows($sql, $param) as $eventlog) { 'datetime' => $eventlog['humandate'], 'hostname' => generate_device_link($dev, shorthost($dev['hostname'])), 'type' => $type, - 'message' => htmlspecialchars($eventlog['message']), + 'message' => $eventlog['message'], ); } diff --git a/html/includes/table/syslog.inc.php b/html/includes/table/syslog.inc.php index 987aac65a..bd80e7b5f 100644 --- a/html/includes/table/syslog.inc.php +++ b/html/includes/table/syslog.inc.php @@ -66,7 +66,7 @@ foreach (dbFetchRows($sql, $param) as $syslog) { 'timestamp' => $syslog['date'], 'device_id' => generate_device_link($dev, shorthost($dev['hostname'])), 'program' => $syslog['program'], - 'msg' => htmlspecialchars($syslog['msg']), + 'msg' => $syslog['msg'], ); } diff --git a/html/includes/vars.inc.php b/html/includes/vars.inc.php index 369a13a74..3326a119f 100644 --- a/html/includes/vars.inc.php +++ b/html/includes/vars.inc.php @@ -43,3 +43,6 @@ foreach ($_GET as $name => $value) { foreach ($_POST as $name => $value) { $vars[$name] = $value; } + +array_walk_recursive($vars,'sanitize_array'); +reset($vars); diff --git a/html/index.php b/html/index.php index 46164c663..494d6c3de 100644 --- a/html/index.php +++ b/html/index.php @@ -214,14 +214,6 @@ else {
"); - print_r($_GET); - print_r($vars); - echo(""); -} - if ($_SESSION['authenticated']) { // Authenticated. Print a page. if (isset($vars['page']) && !strstr("..", $vars['page']) && is_file("pages/" . $vars['page'] . ".inc.php")) { diff --git a/html/pages/adduser.inc.php b/html/pages/adduser.inc.php index 791d4d03d..7bb5c4838 100644 --- a/html/pages/adduser.inc.php +++ b/html/pages/adduser.inc.php @@ -27,7 +27,7 @@ else { // FIXME: missing email field here on the form if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], $_POST['new_email'], $_POST['new_realname'], $_POST['can_modify_passwd'])) { - echo 'User '.$_POST['username'].' added!'; + echo 'User '.$vars['username'].' added!'; } } else { diff --git a/html/pages/alert-log.inc.php b/html/pages/alert-log.inc.php index 752be46ce..4042b2e3d 100644 --- a/html/pages/alert-log.inc.php +++ b/html/pages/alert-log.inc.php @@ -51,7 +51,7 @@ foreach (get_all_devices() as $hostname) { $device_id = getidbyname($hostname); if (device_permitted($device_id)) { echo '"
- +
+ - +
diff --git a/html/pages/device/edit.inc.php b/html/pages/device/edit.inc.php index e866e4504..62cd2a4c5 100644 --- a/html/pages/device/edit.inc.php +++ b/html/pages/device/edit.inc.php @@ -58,7 +58,7 @@ else { echo(generate_link($text,$link_array,array('section'=>$type))); -# echo(" " . $text .""); +# echo(" " . $text .""); if ($vars['section'] == $type) { echo(""); } diff --git a/html/pages/device/logs/eventlog.inc.php b/html/pages/device/logs/eventlog.inc.php index a5c60de86..f5f0444b6 100644 --- a/html/pages/device/logs/eventlog.inc.php +++ b/html/pages/device/logs/eventlog.inc.php @@ -2,7 +2,7 @@
- +
+