diff --git a/alerts.php b/alerts.php index 1035214c0..6d791d213 100755 --- a/alerts.php +++ b/alerts.php @@ -182,7 +182,7 @@ function RunFollowUp() { } $alert['details'] = json_decode(gzuncompress($alert['details']), true); - $rextra = json_decode(htmlspecialchars_decode($alert['extra']), true); + $rextra = json_decode($alert['extra'], true); if ($rextra['invert']) { continue; } @@ -237,7 +237,7 @@ function RunAlerts() { $noiss = false; $noacc = false; $updet = false; - $rextra = json_decode(htmlspecialchars_decode($alert['extra']), true); + $rextra = json_decode($alert['extra'], true); $chk = dbFetchRow('SELECT alerts.alerted,devices.ignore,devices.disabled FROM alerts,devices WHERE alerts.device_id = ? && devices.device_id = alerts.device_id && alerts.rule_id = ?', array($alert['device_id'], $alert['rule_id'])); if ($chk['alerted'] == $alert['state']) { $noiss = true; diff --git a/html/ajax_dash.php b/html/ajax_dash.php index e5622c732..0ffc58067 100644 --- a/html/ajax_dash.php +++ b/html/ajax_dash.php @@ -39,7 +39,7 @@ elseif (is_file('includes/common/'.$type.'.inc.php')) { $title = ucfirst($type); $unique_id = str_replace(array("-","."),"_",uniqid($type,true)); $widget_id = mres($_POST['id']); - $widget_settings = json_decode(htmlspecialchars_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?',array($widget_id))),true); + $widget_settings = json_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?',array($widget_id)),true); $widget_dimensions = $_POST['dimensions']; if( !empty($_POST['settings']) ) { define('show_settings',true); diff --git a/html/includes/dev-overview-data.inc.php b/html/includes/dev-overview-data.inc.php index defeb6d44..04c4de3dd 100644 --- a/html/includes/dev-overview-data.inc.php +++ b/html/includes/dev-overview-data.inc.php @@ -68,14 +68,14 @@ if ($device['sysContact']) { Contact'; if (get_dev_attrib($device, 'override_sysContact_bool')) { echo ' - '.get_dev_attrib($device, 'override_sysContact_string').' + '.htmlspecialchars(get_dev_attrib($device, 'override_sysContact_string')).' SNMP Contact'; } echo ' - '.$device['sysContact'].' + '.htmlspecialchars($device['sysContact']).' '; } diff --git a/html/includes/print-alert-rules.php b/html/includes/print-alert-rules.php index 4a198d9a1..eac1ae6fd 100644 --- a/html/includes/print-alert-rules.php +++ b/html/includes/print-alert-rules.php @@ -205,7 +205,7 @@ foreach (dbFetchRows($full_query, $param) as $rule) { echo 'Inverted '; } - echo ''.$rule['rule'].''; + echo ''.htmlentities($rule['rule']).''; echo ''.$rule['severity'].''; echo " "; if ($rule_extra['mute'] === true) { diff --git a/html/includes/print-alerts.inc.php b/html/includes/print-alerts.inc.php index ac75278fb..d9758a0f3 100644 --- a/html/includes/print-alerts.inc.php +++ b/html/includes/print-alerts.inc.php @@ -15,7 +15,7 @@ if (!isset($alert_entry['device'])) { '; } -echo ''.$alert_entry['name'].''; +echo ''.htmlspecialchars($alert_entry['name']).''; if ($alert_state != '') { if ($alert_state == '0') { diff --git a/html/includes/print-event-short.inc.php b/html/includes/print-event-short.inc.php index 2c02b7727..42fc75768 100644 --- a/html/includes/print-event-short.inc.php +++ b/html/includes/print-event-short.inc.php @@ -25,6 +25,6 @@ if ($entry['type'] == 'interface') { $entry['link'] = ''.generate_port_link(getifbyid($entry['reference'])).''; } - echo $entry['link'].' '.$entry['message'].' + echo $entry['link'].' '.htmlspecialchars($entry['message']).' '; diff --git a/html/includes/print-event.inc.php b/html/includes/print-event.inc.php index 14b6764d8..d8afd6bfa 100644 --- a/html/includes/print-event.inc.php +++ b/html/includes/print-event.inc.php @@ -31,5 +31,5 @@ else { echo ''.$entry['link'].''; -echo ''.$entry['message'].' +echo ''.htmlspecialchars($entry['message']).' '; diff --git a/html/includes/print-syslog.inc.php b/html/includes/print-syslog.inc.php index 26a0d5b62..0f1c1c669 100644 --- a/html/includes/print-syslog.inc.php +++ b/html/includes/print-syslog.inc.php @@ -8,10 +8,10 @@ if (device_permitted($entry['device_id'])) { if ($vars['page'] != 'device') { $syslog_output .= ''.$entry['date'].' '.generate_device_link($entry).' - '.$entry['program'].' : '.$entry['msg'].''; + '.$entry['program'].' : '.htmlspecialchars($entry['msg']).''; } else { - $syslog_output .= ''.$entry['date'].'   '.$entry['program'].'   '.$entry['msg'].''; + $syslog_output .= ''.$entry['date'].'   '.$entry['program'].'   '.htmlspecialchars($entry['msg']).''; } $syslog_output .= ''; diff --git a/html/includes/reports/alert-log.pdf.inc.php b/html/includes/reports/alert-log.pdf.inc.php index 13b13526d..d293b474b 100644 --- a/html/includes/reports/alert-log.pdf.inc.php +++ b/html/includes/reports/alert-log.pdf.inc.php @@ -66,7 +66,7 @@ foreach (dbFetchRows($full_query, $param) as $alert_entry) { $data[] = array( $alert_entry['time_logged'], $hostname, - $alert_entry['name'], + htmlspecialchars($alert_entry['name']), $text, ); }//end if diff --git a/html/includes/table/alertlog.inc.php b/html/includes/table/alertlog.inc.php index 3c41acb78..8b4d94d3e 100644 --- a/html/includes/table/alertlog.inc.php +++ b/html/includes/table/alertlog.inc.php @@ -77,7 +77,7 @@ foreach (dbFetchRows($sql, $param) as $alertlog) { 'time_logged' => $alertlog['humandate'], 'details' => '', 'hostname' => '
'.generate_device_link($dev, shorthost($dev['hostname'])).'
'.$fault_detail.'
', - 'alert' => $alertlog['alert'], + 'alert' => htmlspecialchars($alertlog['alert']), 'status' => " $text", ); }//end foreach diff --git a/html/includes/table/eventlog.inc.php b/html/includes/table/eventlog.inc.php index 6390b0d0f..62edbbefd 100644 --- a/html/includes/table/eventlog.inc.php +++ b/html/includes/table/eventlog.inc.php @@ -66,7 +66,7 @@ foreach (dbFetchRows($sql, $param) as $eventlog) { 'datetime' => $eventlog['humandate'], 'hostname' => generate_device_link($dev, shorthost($dev['hostname'])), 'type' => $type, - 'message' => $eventlog['message'], + 'message' => htmlspecialchars($eventlog['message']), ); } diff --git a/html/includes/table/syslog.inc.php b/html/includes/table/syslog.inc.php index bd80e7b5f..987aac65a 100644 --- a/html/includes/table/syslog.inc.php +++ b/html/includes/table/syslog.inc.php @@ -66,7 +66,7 @@ foreach (dbFetchRows($sql, $param) as $syslog) { 'timestamp' => $syslog['date'], 'device_id' => generate_device_link($dev, shorthost($dev['hostname'])), 'program' => $syslog['program'], - 'msg' => $syslog['msg'], + 'msg' => htmlspecialchars($syslog['msg']), ); } diff --git a/html/includes/vars.inc.php b/html/includes/vars.inc.php index 3326a119f..369a13a74 100644 --- a/html/includes/vars.inc.php +++ b/html/includes/vars.inc.php @@ -43,6 +43,3 @@ foreach ($_GET as $name => $value) { foreach ($_POST as $name => $value) { $vars[$name] = $value; } - -array_walk_recursive($vars,'sanitize_array'); -reset($vars); diff --git a/html/index.php b/html/index.php index 494d6c3de..46164c663 100644 --- a/html/index.php +++ b/html/index.php @@ -214,6 +214,14 @@ else {
"); + print_r($_GET); + print_r($vars); + echo(""); +} + if ($_SESSION['authenticated']) { // Authenticated. Print a page. if (isset($vars['page']) && !strstr("..", $vars['page']) && is_file("pages/" . $vars['page'] . ".inc.php")) { diff --git a/html/pages/adduser.inc.php b/html/pages/adduser.inc.php index 7bb5c4838..791d4d03d 100644 --- a/html/pages/adduser.inc.php +++ b/html/pages/adduser.inc.php @@ -27,7 +27,7 @@ else { // FIXME: missing email field here on the form if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], $_POST['new_email'], $_POST['new_realname'], $_POST['can_modify_passwd'])) { - echo 'User '.$vars['username'].' added!'; + echo 'User '.$_POST['username'].' added!'; } } else { diff --git a/html/pages/alert-log.inc.php b/html/pages/alert-log.inc.php index 4042b2e3d..752be46ce 100644 --- a/html/pages/alert-log.inc.php +++ b/html/pages/alert-log.inc.php @@ -51,7 +51,7 @@ foreach (get_all_devices() as $hostname) { $device_id = getidbyname($hostname); if (device_permitted($device_id)) { echo '"
- +
+ - +
diff --git a/html/pages/device/edit.inc.php b/html/pages/device/edit.inc.php index 62cd2a4c5..e866e4504 100644 --- a/html/pages/device/edit.inc.php +++ b/html/pages/device/edit.inc.php @@ -58,7 +58,7 @@ else { echo(generate_link($text,$link_array,array('section'=>$type))); -# echo(" " . $text .""); +# echo(" " . $text .""); if ($vars['section'] == $type) { echo(""); } diff --git a/html/pages/device/logs/eventlog.inc.php b/html/pages/device/logs/eventlog.inc.php index f5f0444b6..a5c60de86 100644 --- a/html/pages/device/logs/eventlog.inc.php +++ b/html/pages/device/logs/eventlog.inc.php @@ -2,7 +2,7 @@
- +
+