Fix injection in search pages ipv4, etc (#15311)

Reported by: https://huntr.dev/users/hainguyen0207
2024-10-07 16:52:45 +00:00 · 2023-09-13 23:35:49 -05:00
parent 49d66fa31b
commit 1194934d31
2 changed files with 3 additions and 3 deletions
--- a/includes/html/pages/search.inc.php
+++ b/includes/html/pages/search.inc.php
@@ -46,5 +46,5 @@ print_optionbar_end();
 if (file_exists("includes/html/pages/search/$search_type.inc.php")) {
    include "includes/html/pages/search/$search_type.inc.php";
 } else {
-    echo report_this("Unknown search type $search_type");
+    echo report_this('Unknown search type ' . htmlspecialchars($search_type));
 }
--- a/includes/html/pages/search/ipv4.inc.php
+++ b/includes/html/pages/search/ipv4.inc.php
@@ -85,8 +85,8 @@ if ($_POST['interface'] == 'Vlan%') {
            id: "address-search",
            search_type: "ipv4",
            device_id: '<?php echo htmlspecialchars($_POST['device_id']); ?>',
-            interface: '<?php echo $_POST['interface']; ?>',
-            address: '<?php echo $_POST['address']; ?>'
+            interface: '<?php echo htmlspecialchars($_POST['interface']); ?>',
+            address: '<?php echo htmlspecialchars($_POST['address']); ?>'
        };
    },
    url: "ajax_table.php",