- further XSS fixes for #4902 (reflected XSS)

Marius Burkard · Marius Burkard · commit 5008d8cefe3f · 2018-01-01T16:30:59.000+01:00
diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php
@@ -298,14 +298,14 @@ public function tpl_defaults() {
 
 		$this->tpl->setVar('phpsessid', session_id());
 
-		$this->tpl->setVar('theme', $_SESSION['s']['theme']);
+		$this->tpl->setVar('theme', $_SESSION['s']['theme'], true);
 		$this->tpl->setVar('html_content_encoding', $this->_conf['html_content_encoding']);
 
 		$this->tpl->setVar('delete_confirmation', $this->lng('delete_confirmation'));
 		//print_r($_SESSION);
 		if(isset($_SESSION['s']['module']['name'])) {
-			$this->tpl->setVar('app_module', $_SESSION['s']['module']['name']);
-			$this->tpl->setVar('session_module', $_SESSION['s']['module']['name']);
+			$this->tpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
+			$this->tpl->setVar('session_module', $_SESSION['s']['module']['name'], true);
 		}
 		if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
 			$this->tpl->setVar('is_admin', 1);
@@ -315,7 +315,7 @@ public function tpl_defaults() {
 		}
 		/* Show username */
 		if(isset($_SESSION['s']['user'])) {
-			$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+			$this->tpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
 			$this->tpl->setVar('logout_txt', $this->lng('logout_txt'));
 			/* Show search field only for normal users, not mail users */
 			if(stristr($_SESSION['s']['user']['username'], '@')){
diff --git a/interface/lib/classes/plugin_listview.inc.php b/interface/lib/classes/plugin_listview.inc.php
@@ -56,7 +56,7 @@ function onShow() {
 		// $app->listform->listDef["page_params"] = "&id=".$app->tform_actions->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
 		$app->listform->listDef["page_params"] = "&id=".$this->form->id."&next_tab=".$_SESSION["s"]["form"]["tab"];
 		$listTpl->setVar('parent_id', $this->form->id);
-		$listTpl->setVar('theme', $_SESSION['s']['theme']);
+		$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
 
 		// Generate the SQL for searching
 		$sql_where = "";
@@ -193,13 +193,13 @@ function onShow() {
 
 		$listTpl->setVar('phpsessid', session_id());
 
-		$listTpl->setVar('theme', $_SESSION['s']['theme']);
+		$listTpl->setVar('theme', $_SESSION['s']['theme'], true);
 		$listTpl->setVar('html_content_encoding', $app->_conf['html_content_encoding']);
 
 		$listTpl->setVar('delete_confirmation', $app->lng('delete_confirmation'));
 		//print_r($_SESSION);
 		if(isset($_SESSION['s']['module']['name'])) {
-			$listTpl->setVar('app_module', $_SESSION['s']['module']['name']);
+			$listTpl->setVar('app_module', $_SESSION['s']['module']['name'], true);
 		}
 		if(isset($_SESSION['s']['user']) && $_SESSION['s']['user']['typ'] == 'admin') {
 			$listTpl->setVar('is_admin', 1);
@@ -209,7 +209,7 @@ function onShow() {
 		}
 		/* Show username */
 		if(isset($_SESSION['s']['user'])) {
-			$listTpl->setVar('cpuser', $_SESSION['s']['user']['username']);
+			$listTpl->setVar('cpuser', $_SESSION['s']['user']['username'], true);
 			$listTpl->setVar('logout_txt', $app->lng('logout_txt'));
 			/* Show search field only for normal users, not mail users */
 			if(stristr($_SESSION['s']['user']['username'], '@')){
diff --git a/interface/web/client/client_message.php b/interface/web/client/client_message.php
@@ -114,9 +114,9 @@
 		}
 
 	} else {
-		$app->tpl->setVar('sender', $_POST['sender']);
-		$app->tpl->setVar('subject', $_POST['subject']);
-		$app->tpl->setVar('message', $_POST['message']);
+		$app->tpl->setVar('sender', $_POST['sender'], true);
+		$app->tpl->setVar('subject', $_POST['subject'], true);
+		$app->tpl->setVar('message', $_POST['message'], true);
 	}
 } else {
 	// pre-fill Sender field with reseller's email address
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
@@ -183,7 +183,7 @@
 		} else {
 			$app->tpl->setVar($field."_VISIBLE", 1);
 			$field = strtolower($field);
-			$app->tpl->setVar($field, $_POST[$field]);
+			$app->tpl->setVar($field, $_POST[$field], true);
 		}
 	}
 }
diff --git a/interface/web/index.php b/interface/web/index.php
@@ -41,7 +41,7 @@
 
 $app->uses('tpl');
 $app->tpl->newTemplate('main.tpl.htm');
-$app->tpl->setVar('startpage', isset($_SESSION['s']['module']['startpage']) ? $_SESSION['s']['module']['startpage'] : '');
+$app->tpl->setVar('startpage', isset($_SESSION['s']['module']['startpage']) ? $_SESSION['s']['module']['startpage'] : '', true);
 $app->tpl->setVar('logged_in', ($_SESSION['s']['user']['active'] != 1 ? 'n' : 'y'));
 
 // tab change warning?
@@ -93,7 +93,7 @@
 if (!empty($js_d_files)) $app->tpl->setLoop('js_d_includes', $js_d_files);
 unset($js_d_files);
 
-$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
+$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true);
 
 // Logo
 $logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1");
diff --git a/interface/web/login/index.php b/interface/web/login/index.php
@@ -340,7 +340,7 @@
 $app->tpl->setVar('session_timeout', $server_config_array['session_timeout']);
 $app->tpl->setVar('session_allow_endless', $server_config_array['session_allow_endless']);
 //$app->tpl->setInclude('content_tpl', 'login/templates/index.htm');
-$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
+$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true);
 //die(isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
 
 // Logo
diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php
@@ -156,7 +156,7 @@
 	if(isset($_POST) && count($_POST) > 0) $app->tpl->setVar("msg", $wb['pw_error_noinput']);
 }
 
-$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');
+$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true);
 
 // Logo
 $logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1");
diff --git a/interface/web/sites/web_childdomain_list.php b/interface/web/sites/web_childdomain_list.php
@@ -56,7 +56,7 @@
 class list_action extends listform_actions {
 	function onShow() {
 		global $app;
-		$app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type']);
+		$app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type'], true);
 		
 		parent::onShow();
 	}
diff --git a/interface/web/sites/web_vhost_domain_list.php b/interface/web/sites/web_vhost_domain_list.php
@@ -68,7 +68,7 @@
 class list_action extends listform_actions {
 	function onShow() {
 		global $app;
-		$app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type']);
+		$app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type'], true);
 		
 		parent::onShow();
 	}
diff --git a/interface/web/tools/dns_import_tupa.php b/interface/web/tools/dns_import_tupa.php
@@ -50,10 +50,10 @@
 	$app->auth->csrf_token_check();
 
 	//* Set variable sin template
-	$app->tpl->setVar('dbhost', $_POST['dbhost']);
-	$app->tpl->setVar('dbname', $_POST['dbname']);
-	$app->tpl->setVar('dbuser', $_POST['dbuser']);
-	$app->tpl->setVar('dbpassword', $_POST['dbpassword']);
+	$app->tpl->setVar('dbhost', $_POST['dbhost'], true);
+	$app->tpl->setVar('dbname', $_POST['dbname'], true);
+	$app->tpl->setVar('dbuser', $_POST['dbuser'], true);
+	$app->tpl->setVar('dbpassword', $_POST['dbpassword'], true);
 
 	//* Establish connection to external database
 	$msg .= 'Connecting to external database...<br />';
diff --git a/interface/web/tools/import_ispconfig.php b/interface/web/tools/import_ispconfig.php
@@ -142,9 +142,9 @@
 
 }
 
-$app->tpl->setVar('remote_server', $_POST['remote_server']);
-$app->tpl->setVar('remote_user', $_POST['remote_user']);
-$app->tpl->setVar('remote_password', $_POST['remote_password']);
+$app->tpl->setVar('remote_server', $_POST['remote_server'], true);
+$app->tpl->setVar('remote_user', $_POST['remote_user'], true);
+$app->tpl->setVar('remote_password', $_POST['remote_password'], true);
 $app->tpl->setVar('connected', $connected);
 $app->tpl->setVar('remote_session_id', $remote_session_id);
 $app->tpl->setVar('msg', $msg);
diff --git a/interface/web/tools/import_vpopmail.php b/interface/web/tools/import_vpopmail.php
@@ -84,11 +84,11 @@
 	$_POST['local_server_id'] = 1;
 }
 
-$app->tpl->setVar('db_hostname', $_POST['db_hostname']);
-$app->tpl->setVar('db_user', $_POST['db_user']);
-$app->tpl->setVar('db_password', $_POST['db_password']);
-$app->tpl->setVar('db_name', $_POST['db_name']);
-$app->tpl->setVar('local_server_id', $_POST['local_server_id']);
+$app->tpl->setVar('db_hostname', $_POST['db_hostname'], true);
+$app->tpl->setVar('db_user', $_POST['db_user'], true);
+$app->tpl->setVar('db_password', $_POST['db_password'], true);
+$app->tpl->setVar('db_name', $_POST['db_name'], true);
+$app->tpl->setVar('local_server_id', $_POST['local_server_id'], true);
 $app->tpl->setVar('msg', $msg);
 $app->tpl->setVar('error', $error);
 

Original file line number	Diff line number	Diff line change
`@@ -114,9 +114,9 @@`
`114`	`114`	`}`
`115`	`115`
`116`	`116`	`} else {`
`117`		`- $app->tpl->setVar('sender', $_POST['sender']);`
`118`		`- $app->tpl->setVar('subject', $_POST['subject']);`
`119`		`- $app->tpl->setVar('message', $_POST['message']);`
	`117`	`+ $app->tpl->setVar('sender', $_POST['sender'], true);`
	`118`	`+ $app->tpl->setVar('subject', $_POST['subject'], true);`
	`119`	`+ $app->tpl->setVar('message', $_POST['message'], true);`
`120`	`120`	`}`
`121`	`121`	`} else {`
`122`	`122`	`// pre-fill Sender field with reseller's email address`
Original file line number	Diff line number	Diff line change
`@@ -183,7 +183,7 @@`
`183`	`183`	`} else {`
`184`	`184`	`$app->tpl->setVar($field."_VISIBLE", 1);`
`185`	`185`	`$field = strtolower($field);`
`186`		`- $app->tpl->setVar($field, $_POST[$field]);`
	`186`	`+ $app->tpl->setVar($field, $_POST[$field], true);`
`187`	`187`	`}`
`188`	`188`	`}`
`189`	`189`	`}`
Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,7 @@`
`156`	`156`	`if(isset($_POST) && count($_POST) > 0) $app->tpl->setVar("msg", $wb['pw_error_noinput']);`
`157`	`157`	`}`
`158`	`158`
`159`		`-$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default');`
	`159`	`+$app->tpl->setVar('current_theme', isset($_SESSION['s']['theme']) ? $_SESSION['s']['theme'] : 'default', true);`
`160`	`160`
`161`	`161`	`// Logo`
`162`	`162`	`$logo = $app->db->queryOneRecord("SELECT * FROM sys_ini WHERE sysini_id = 1");`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@`
`56`	`56`	`class list_action extends listform_actions {`
`57`	`57`	`function onShow() {`
`58`	`58`	`global $app;`
`59`		`- $app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type']);`
	`59`	`+ $app->tpl->setVar('childdomain_type', $_SESSION['s']['var']['childdomain_type'], true);`
`60`	`60`
`61`	`61`	`parent::onShow();`
`62`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,7 @@`
`68`	`68`	`class list_action extends listform_actions {`
`69`	`69`	`function onShow() {`
`70`	`70`	`global $app;`
`71`		`- $app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type']);`
	`71`	`+ $app->tpl->setVar('vhostdomain_type', $_SESSION['s']['var']['vhostdomain_type'], true);`
`72`	`72`
`73`	`73`	`parent::onShow();`
`74`	`74`	`}`