From 03c4da62c8acde0a82acbb4a445ae866ebfdd3f7 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Thu, 14 Sep 2023 00:07:08 -0500
Subject: [PATCH] Fix another addcslashes incorrect escape in eventlog (#15313)

and many more
reported by: https://huntr.dev/users/hainguyen0207
---
 includes/html/common/eventlog.inc.php |  4 +++-
 includes/html/common/syslog.inc.php   | 10 +++++-----
 includes/html/pages/eventlog.inc.php  |  2 +-
 includes/html/pages/syslog.inc.php    |  4 ++--
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/includes/html/common/eventlog.inc.php b/includes/html/common/eventlog.inc.php
index b7cd728ec4..068f3d7f25 100644
--- a/includes/html/common/eventlog.inc.php
+++ b/includes/html/common/eventlog.inc.php
@@ -13,6 +13,8 @@
  * @author     LibreNMS Contributors
 */
 
+$vars['eventtype'] = 'test\"-alert(document.cookie)//';
+
 $common_output[] = '
 <div class="table-responsive">
     <table id="eventlog" class="table table-hover table-condensed table-striped">
@@ -36,7 +38,7 @@ var eventlog_grid = $("#eventlog").bootgrid({
     {
         return {
             device: ' . (empty($vars['device']) ? 'null' : (int) $vars['device']) . ',
-            eventtype: "' . addcslashes($vars['eventtype'] ?? '', '"') . '",
+            eventtype: "' . htmlspecialchars($vars['eventtype'] ?? '') . '",
         };
     },
     url: "' . url('/ajax/table/eventlog') . '"
diff --git a/includes/html/common/syslog.inc.php b/includes/html/common/syslog.inc.php
index 5227307d80..89fe3f30cd 100644
--- a/includes/html/common/syslog.inc.php
+++ b/includes/html/common/syslog.inc.php
@@ -37,11 +37,11 @@ var syslog_grid = $("#syslog").bootgrid({
     post: function ()
     {
         return {
-            device: "' . addcslashes($vars['device'] ?? '', '"') . '",
-            program: "' . addcslashes($vars['program'] ?? '', '"') . '",
-            priority: "' . addcslashes($vars['priority'] ?? '', '"') . '",
-            to: "' . addcslashes($vars['to'] ?? '', '"') . '",
-            from: "' . addcslashes($vars['from'] ?? '', '"') . '",
+            device: "' . htmlspecialchars($vars['device'] ?? '') . '",
+            program: "' . htmlspecialchars($vars['program'] ?? '') . '",
+            priority: "' . htmlspecialchars($vars['priority'] ?? '') . '",
+            to: "' . htmlspecialchars($vars['to'] ?? '') . '",
+            from: "' . htmlspecialchars($vars['from'] ?? '') . '",
         };
     },
     url: "' . url('/ajax/table/syslog') . '"
diff --git a/includes/html/pages/eventlog.inc.php b/includes/html/pages/eventlog.inc.php
index 0c1ba2993b..a2aea40809 100644
--- a/includes/html/pages/eventlog.inc.php
+++ b/includes/html/pages/eventlog.inc.php
@@ -106,6 +106,6 @@ $pagetitle[] = 'Eventlog';
                 }
             }
         }
-    })<?php echo Request::get('eventtype') ? ".val('" . addcslashes(Request::get('eventtype'), "'") . "').trigger('change');" : ''; ?>;
+    })<?php echo Request::get('eventtype') ? ".val('" . htmlspecialchars(Request::get('eventtype')) . "').trigger('change');" : ''; ?>;
 
 </script>
diff --git a/includes/html/pages/syslog.inc.php b/includes/html/pages/syslog.inc.php
index 8a09d579aa..834d8fa658 100644
--- a/includes/html/pages/syslog.inc.php
+++ b/includes/html/pages/syslog.inc.php
@@ -171,7 +171,7 @@ $pagetitle[] = 'Syslog';
                 }
             }
         }
-    })<?php echo isset($vars['program']) ? ".val('" . addcslashes($vars['program'], "'") . "').trigger('change');" : ''; ?>;
+    })<?php echo isset($vars['program']) ? ".val('" . htmlspecialchars($vars['program']) . "').trigger('change');" : ''; ?>;
 
     $("#priority").select2({
         theme: "bootstrap",
@@ -191,6 +191,6 @@ $pagetitle[] = 'Syslog';
                 }
             }
         }
-    })<?php echo isset($vars['priority']) ? ".val('" . addcslashes($vars['priority'], "'") . "').trigger('change');" : ''; ?>;
+    })<?php echo isset($vars['priority']) ? ".val('" . htmlspecialchars($vars['priority']) . "').trigger('change');" : ''; ?>;
 </script>