diff --git a/alerts.php b/alerts.php
index 1035214c0..6d791d213 100755
--- a/alerts.php
+++ b/alerts.php
@@ -182,7 +182,7 @@ function RunFollowUp() {
}
$alert['details'] = json_decode(gzuncompress($alert['details']), true);
- $rextra = json_decode(htmlspecialchars_decode($alert['extra']), true);
+ $rextra = json_decode($alert['extra'], true);
if ($rextra['invert']) {
continue;
}
@@ -237,7 +237,7 @@ function RunAlerts() {
$noiss = false;
$noacc = false;
$updet = false;
- $rextra = json_decode(htmlspecialchars_decode($alert['extra']), true);
+ $rextra = json_decode($alert['extra'], true);
$chk = dbFetchRow('SELECT alerts.alerted,devices.ignore,devices.disabled FROM alerts,devices WHERE alerts.device_id = ? && devices.device_id = alerts.device_id && alerts.rule_id = ?', array($alert['device_id'], $alert['rule_id']));
if ($chk['alerted'] == $alert['state']) {
$noiss = true;
diff --git a/html/ajax_dash.php b/html/ajax_dash.php
index e5622c732..0ffc58067 100644
--- a/html/ajax_dash.php
+++ b/html/ajax_dash.php
@@ -39,7 +39,7 @@ elseif (is_file('includes/common/'.$type.'.inc.php')) {
$title = ucfirst($type);
$unique_id = str_replace(array("-","."),"_",uniqid($type,true));
$widget_id = mres($_POST['id']);
- $widget_settings = json_decode(htmlspecialchars_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?',array($widget_id))),true);
+ $widget_settings = json_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?',array($widget_id)),true);
$widget_dimensions = $_POST['dimensions'];
if( !empty($_POST['settings']) ) {
define('show_settings',true);
diff --git a/html/includes/dev-overview-data.inc.php b/html/includes/dev-overview-data.inc.php
index defeb6d44..04c4de3dd 100644
--- a/html/includes/dev-overview-data.inc.php
+++ b/html/includes/dev-overview-data.inc.php
@@ -68,14 +68,14 @@ if ($device['sysContact']) {
Contact | ';
if (get_dev_attrib($device, 'override_sysContact_bool')) {
echo '
- '.get_dev_attrib($device, 'override_sysContact_string').' |
+ '.htmlspecialchars(get_dev_attrib($device, 'override_sysContact_string')).' |
| SNMP Contact | ';
}
echo '
- '.$device['sysContact'].' |
+ '.htmlspecialchars($device['sysContact']).' |
';
}
diff --git a/html/includes/print-alert-rules.php b/html/includes/print-alert-rules.php
index 4a198d9a1..eac1ae6fd 100644
--- a/html/includes/print-alert-rules.php
+++ b/html/includes/print-alert-rules.php
@@ -205,7 +205,7 @@ foreach (dbFetchRows($full_query, $param) as $rule) {
echo 'Inverted ';
}
- echo ''.$rule['rule'].'';
+ echo ''.htmlentities($rule['rule']).'';
echo ''.$rule['severity'].' | ';
echo " ";
if ($rule_extra['mute'] === true) {
diff --git a/html/includes/print-alerts.inc.php b/html/includes/print-alerts.inc.php
index ac75278fb..d9758a0f3 100644
--- a/html/includes/print-alerts.inc.php
+++ b/html/includes/print-alerts.inc.php
@@ -15,7 +15,7 @@ if (!isset($alert_entry['device'])) {
| ';
}
-echo ''.$alert_entry['name'].' | ';
+echo ''.htmlspecialchars($alert_entry['name']).' | ';
if ($alert_state != '') {
if ($alert_state == '0') {
diff --git a/html/includes/print-event-short.inc.php b/html/includes/print-event-short.inc.php
index 2c02b7727..42fc75768 100644
--- a/html/includes/print-event-short.inc.php
+++ b/html/includes/print-event-short.inc.php
@@ -25,6 +25,6 @@ if ($entry['type'] == 'interface') {
$entry['link'] = ''.generate_port_link(getifbyid($entry['reference'])).'';
}
- echo $entry['link'].' '.$entry['message'].'
+ echo $entry['link'].' '.htmlspecialchars($entry['message']).'
|
';
diff --git a/html/includes/print-event.inc.php b/html/includes/print-event.inc.php
index 14b6764d8..d8afd6bfa 100644
--- a/html/includes/print-event.inc.php
+++ b/html/includes/print-event.inc.php
@@ -31,5 +31,5 @@ else {
echo ''.$entry['link'].' | ';
-echo ''.$entry['message'].' |
+echo ''.htmlspecialchars($entry['message']).' |
';
diff --git a/html/includes/print-syslog.inc.php b/html/includes/print-syslog.inc.php
index 26a0d5b62..0f1c1c669 100644
--- a/html/includes/print-syslog.inc.php
+++ b/html/includes/print-syslog.inc.php
@@ -8,10 +8,10 @@ if (device_permitted($entry['device_id'])) {
if ($vars['page'] != 'device') {
$syslog_output .= ''.$entry['date'].' |
'.generate_device_link($entry).' |
- '.$entry['program'].' : '.$entry['msg'].' | ';
+ '.$entry['program'].' : '.htmlspecialchars($entry['msg']).' | ';
}
else {
- $syslog_output .= ''.$entry['date'].' '.$entry['program'].' '.$entry['msg'].' | ';
+ $syslog_output .= ''.$entry['date'].' '.$entry['program'].' '.htmlspecialchars($entry['msg']).' | ';
}
$syslog_output .= '';
diff --git a/html/includes/reports/alert-log.pdf.inc.php b/html/includes/reports/alert-log.pdf.inc.php
index 13b13526d..d293b474b 100644
--- a/html/includes/reports/alert-log.pdf.inc.php
+++ b/html/includes/reports/alert-log.pdf.inc.php
@@ -66,7 +66,7 @@ foreach (dbFetchRows($full_query, $param) as $alert_entry) {
$data[] = array(
$alert_entry['time_logged'],
$hostname,
- $alert_entry['name'],
+ htmlspecialchars($alert_entry['name']),
$text,
);
}//end if
diff --git a/html/includes/table/alertlog.inc.php b/html/includes/table/alertlog.inc.php
index 3c41acb78..8b4d94d3e 100644
--- a/html/includes/table/alertlog.inc.php
+++ b/html/includes/table/alertlog.inc.php
@@ -77,7 +77,7 @@ foreach (dbFetchRows($sql, $param) as $alertlog) {
'time_logged' => $alertlog['humandate'],
'details' => '',
'hostname' => ''.generate_device_link($dev, shorthost($dev['hostname'])).'
'.$fault_detail.'
',
- 'alert' => $alertlog['alert'],
+ 'alert' => htmlspecialchars($alertlog['alert']),
'status' => " $text",
);
}//end foreach
diff --git a/html/includes/table/eventlog.inc.php b/html/includes/table/eventlog.inc.php
index 6390b0d0f..62edbbefd 100644
--- a/html/includes/table/eventlog.inc.php
+++ b/html/includes/table/eventlog.inc.php
@@ -66,7 +66,7 @@ foreach (dbFetchRows($sql, $param) as $eventlog) {
'datetime' => $eventlog['humandate'],
'hostname' => generate_device_link($dev, shorthost($dev['hostname'])),
'type' => $type,
- 'message' => $eventlog['message'],
+ 'message' => htmlspecialchars($eventlog['message']),
);
}
diff --git a/html/includes/table/syslog.inc.php b/html/includes/table/syslog.inc.php
index bd80e7b5f..987aac65a 100644
--- a/html/includes/table/syslog.inc.php
+++ b/html/includes/table/syslog.inc.php
@@ -66,7 +66,7 @@ foreach (dbFetchRows($sql, $param) as $syslog) {
'timestamp' => $syslog['date'],
'device_id' => generate_device_link($dev, shorthost($dev['hostname'])),
'program' => $syslog['program'],
- 'msg' => $syslog['msg'],
+ 'msg' => htmlspecialchars($syslog['msg']),
);
}
diff --git a/html/includes/vars.inc.php b/html/includes/vars.inc.php
index 3326a119f..369a13a74 100644
--- a/html/includes/vars.inc.php
+++ b/html/includes/vars.inc.php
@@ -43,6 +43,3 @@ foreach ($_GET as $name => $value) {
foreach ($_POST as $name => $value) {
$vars[$name] = $value;
}
-
-array_walk_recursive($vars,'sanitize_array');
-reset($vars);
diff --git a/html/index.php b/html/index.php
index 494d6c3de..46164c663 100644
--- a/html/index.php
+++ b/html/index.php
@@ -214,6 +214,14 @@ else {
");
+ print_r($_GET);
+ print_r($vars);
+ echo("");
+}
+
if ($_SESSION['authenticated']) {
// Authenticated. Print a page.
if (isset($vars['page']) && !strstr("..", $vars['page']) && is_file("pages/" . $vars['page'] . ".inc.php")) {
diff --git a/html/pages/adduser.inc.php b/html/pages/adduser.inc.php
index 7bb5c4838..791d4d03d 100644
--- a/html/pages/adduser.inc.php
+++ b/html/pages/adduser.inc.php
@@ -27,7 +27,7 @@ else {
// FIXME: missing email field here on the form
if (adduser($_POST['new_username'], $_POST['new_password'], $_POST['new_level'], $_POST['new_email'], $_POST['new_realname'], $_POST['can_modify_passwd'])) {
- echo '
User '.$vars['username'].' added!';
+ echo '
User '.$_POST['username'].' added!';
}
}
else {
diff --git a/html/pages/alert-log.inc.php b/html/pages/alert-log.inc.php
index 4042b2e3d..752be46ce 100644
--- a/html/pages/alert-log.inc.php
+++ b/html/pages/alert-log.inc.php
@@ -51,7 +51,7 @@ foreach (get_all_devices() as $hostname) {
$device_id = getidbyname($hostname);
if (device_permitted($device_id)) {
echo '"
-
+