- added htmlentities (XSS protection) to form data passed to template, fixes #4902

Author: Marius Burkard

interface/lib/classes/tform_actions.inc.php

@@ -287,7 +287,7 @@ function onError() {
 		global $app, $conf;
 
 		$app->tpl->setVar("error", "<li>".$app->tform->errorMessage."</li>");
-		$app->tpl->setVar($this->dataRecord);
+		$app->tpl->setVar($this->dataRecord, null, true);
 		$this->onShow();
 	}
 

interface/lib/classes/tpl.inc.php

@@ -226,21 +226,26 @@ public function newTemplate($tmplfile)
 		 * using the keys as variable names and the values as variable values.
 		 * @param mixed $k key to define variable name
 		 * @param mixed $v variable to assign to $k
+		 * @param bool $encode if set to true use htmlentities on values
 		 * @return boolean true/false
 		 * @access public
 		 */
-		public function setVar($k, $v = null)
+		public function setVar($k, $v = null, $encode = false)
 		{
+			global $app;
+			
 			if (is_array($k)) {
 				foreach($k as $key => $value){
 					$key = ($this->OPTIONS['CASELESS']) ? strtolower(trim($key)) : trim($key);
 					if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $key) && $value !== null ) {
+						if($encode == true) $value = $app->functions->htmlentities($value);
 						$this->_vars[$key] = $value;
 					}
 				}
 			} else {
 				if (preg_match('/^[A-Za-z_]+[A-Za-z0-9_]*$/', $k) && $v !== null) {
 					if ($this->OPTIONS['CASELESS']) $k = strtolower($k);
+					if($encode == true) $value = $app->functions->htmlentities($);
 					$this->_vars[trim($k)] = $v;
 				} else {
 					return false;

interface/web/admin/directive_snippets_edit.php

@@ -70,9 +70,9 @@ function onShowEnd() {
 		if($this->id > 0){
 			if($this->dataRecord['master_directive_snippets_id'] > 0){
 				$is_master = true;
-				$app->tpl->setVar("name", $this->dataRecord['name']);
-				$app->tpl->setVar("type", $this->dataRecord['type']);
-				$app->tpl->setVar("snippet", $this->dataRecord['snippet']);
+				$app->tpl->setVar("name", $this->dataRecord['name'], true);
+				$app->tpl->setVar("type", $this->dataRecord['type'], true);
+				$app->tpl->setVar("snippet", $this->dataRecord['snippet'], true);
 			}
 		}
 		$app->tpl->setVar("is_master", $is_master);

interface/web/dns/dns_slave_edit.php

@@ -149,7 +149,7 @@ function onShowEnd() {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}

interface/web/dns/dns_soa_edit.php

@@ -217,7 +217,7 @@ function onShowEnd() {
 	if($this->id > 0) {
 		//* we are editing a existing record
 		$app->tpl->setVar("edit_disabled", 1);
-		$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+		$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 
 		$datalog = $app->db->queryOneRecord("SELECT sys_datalog.error, sys_log.tstamp FROM sys_datalog, sys_log WHERE sys_datalog.dbtable = 'dns_soa' AND sys_datalog.dbidx = ? AND sys_datalog.datalog_id = sys_log.datalog_id AND sys_log.message = CONCAT('Processed datalog_id ',sys_log.datalog_id) ORDER BY sys_datalog.tstamp DESC", 'id:' . $this->id);
 		if(is_array($datalog) && !empty($datalog)){

interface/web/mail/mail_domain_edit.php

@@ -204,7 +204,7 @@ function onShowEnd() {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}

interface/web/mail/mail_mailinglist_edit.php

@@ -124,9 +124,9 @@ function onShowEnd() {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("listname_value", $this->dataRecord["listname"]);
-			$app->tpl->setVar("domain_value", $this->dataRecord["domain"]);
-			$app->tpl->setVar("email_value", $this->dataRecord["email"]);
+			$app->tpl->setVar("listname_value", $this->dataRecord["listname"], true);
+			$app->tpl->setVar("domain_value", $this->dataRecord["domain"], true);
+			$app->tpl->setVar("email_value", $this->dataRecord["email"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}

interface/web/mail/mail_user_edit.php

@@ -121,7 +121,7 @@ function onShowEnd() {
 		if($this->dataRecord['autoresponder_subject'] == '') {
 			$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
 		} else {
-			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
+			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
 		}
 
 		$app->uses('getconf');

interface/web/mail/xmpp_domain_edit.php

@@ -211,7 +211,7 @@ function onShowEnd() {
 		if($this->id > 0) {
 			//* we are editing a existing record
 			$app->tpl->setVar("edit_disabled", 1);
-			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"]);
+			$app->tpl->setVar("server_id_value", $this->dataRecord["server_id"], true);
 		} else {
 			$app->tpl->setVar("edit_disabled", 0);
 		}

interface/web/mailuser/mail_user_autoresponder_edit.php

@@ -84,7 +84,7 @@ function onShowEnd() {
 		if($this->dataRecord['autoresponder_subject'] == '') {
 			$app->tpl->setVar('autoresponder_subject', $app->tform->lng('autoresponder_subject'));
 		} else {
-			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject']);
+			$app->tpl->setVar('autoresponder_subject', $this->dataRecord['autoresponder_subject'], true);
 		}
 
 		parent::onShowEnd();