From 3252ea37af8b67d9b746ba7681b0459c2978b893 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Wed, 2 Aug 2023 09:51:31 -0500
Subject: [PATCH] Fix some xss injection for sysLocation and some other fields
 (#15183)

Reported by [Zluudg](https://huntr.dev/users/zluudg/)
---
 .../Controllers/Table/DeviceController.php    |  6 ++--
 .../Controllers/Table/LocationController.php  |  2 +-
 .../html/forms/get-host-dependencies.inc.php  |  2 +-
 includes/html/pages/devices.inc.php           | 30 +++++++++----------
 includes/html/pages/services.inc.php          |  2 +-
 includes/html/table/alerts.inc.php            |  2 +-
 6 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/app/Http/Controllers/Table/DeviceController.php b/app/Http/Controllers/Table/DeviceController.php
index e52e77c670..945da1064c 100644
--- a/app/Http/Controllers/Table/DeviceController.php
+++ b/app/Http/Controllers/Table/DeviceController.php
@@ -153,10 +153,10 @@ class DeviceController extends TableController
             'icon' => '<img src="' . asset($device->icon) . '" title="' . pathinfo($device->icon, PATHINFO_FILENAME) . '">',
             'hostname' => $this->getHostname($device),
             'metrics' => $this->getMetrics($device),
-            'hardware' => Rewrite::ciscoHardware($device),
-            'os' => $this->getOsText($device),
+            'hardware' => htmlspecialchars(Rewrite::ciscoHardware($device)),
+            'os' => htmlspecialchars($this->getOsText($device)),
             'uptime' => (! $device->status && ! $device->last_polled) ? __('Never polled') : Time::formatInterval($device->status ? $device->uptime : $device->last_polled->diffInSeconds(), true),
-            'location' => $this->getLocation($device),
+            'location' => htmlspecialchars($this->getLocation($device)),
             'actions' => view('device.actions', ['actions' => $this->getActions($device)])->__toString(),
             'device_id' => $device->device_id,
         ];
diff --git a/app/Http/Controllers/Table/LocationController.php b/app/Http/Controllers/Table/LocationController.php
index 430f93445a..299a2b9164 100644
--- a/app/Http/Controllers/Table/LocationController.php
+++ b/app/Http/Controllers/Table/LocationController.php
@@ -79,7 +79,7 @@ class LocationController extends TableController
     {
         return [
             'id' => $location->id,
-            'location' => $location->location,
+            'location' => htmlspecialchars($location->location),
             'lat' => $location->lat,
             'lng' => $location->lng,
             'down' => $location->devices()->isDown()->count(),
diff --git a/includes/html/forms/get-host-dependencies.inc.php b/includes/html/forms/get-host-dependencies.inc.php
index 3967c14de2..3d4281977c 100644
--- a/includes/html/forms/get-host-dependencies.inc.php
+++ b/includes/html/forms/get-host-dependencies.inc.php
@@ -73,7 +73,7 @@ if (! Auth::user()->hasGlobalAdmin()) {
                     }
 
                     $hostname = format_hostname($myrow);
-                    $sysname = ($hostname == $myrow['sysName']) ? $myrow['hostname'] : $myrow['sysName'];
+                    $sysname = htmlspecialchars(($hostname == $myrow['sysName']) ? $myrow['hostname'] : $myrow['sysName']);
                     array_push($res_arr, ['deviceid' => $myrow['id'], 'hostname' => $hostname, 'sysname' => $sysname, 'parent' => $parent, 'parentid' => $myrow['parentid']]);
                 }
                 $status = ['current' => $_POST['current'], 'rowCount' => $_POST['rowCount'], 'rows' => $res_arr, 'total' => $rec_count];
diff --git a/includes/html/pages/devices.inc.php b/includes/html/pages/devices.inc.php
index 73581c14b3..9c69b39cea 100644
--- a/includes/html/pages/devices.inc.php
+++ b/includes/html/pages/devices.inc.php
@@ -344,21 +344,21 @@ if ($format == 'graph') {
             },
             post: function () {
                 return {
-                    format: '<?php echo $vars['format']; ?>',
+                    format: '<?php echo htmlspecialchars($vars['format']); ?>',
                     searchPhrase: '<?php echo htmlspecialchars($vars['searchquery'] ?? ''); ?>',
-                    os: '<?php echo $vars['os'] ?? ''; ?>',
-                    version: '<?php echo $vars['version'] ?? ''; ?>',
-                    hardware: '<?php echo $vars['hardware'] ?? ''; ?>',
-                    features: '<?php echo $vars['features'] ?? ''; ?>',
-                    location: '<?php echo $vars['location'] ?? ''; ?>',
-                    type: '<?php echo $vars['type'] ?? ''; ?>',
-                    state: '<?php echo $vars['state'] ?? ''; ?>',
-                    disabled: '<?php echo $vars['disabled'] ?? ''; ?>',
-                    ignore: '<?php echo $vars['ignore'] ?? ''; ?>',
-                    disable_notify: '<?php echo $vars['disable_notify'] ?? ''; ?>',
-                    group: '<?php echo $vars['group'] ?? ''; ?>',
-                    poller_group: '<?php echo $vars['poller_group'] ?? ''; ?>',
-                    device_id: '<?php echo $vars['device_id'] ?? ''; ?>',
+                    os: '<?php echo htmlspecialchars($vars['os'] ?? ''); ?>',
+                    version: '<?php echo htmlspecialchars($vars['version'] ?? ''); ?>',
+                    hardware: '<?php echo htmlspecialchars($vars['hardware'] ?? ''); ?>',
+                    features: '<?php echo htmlspecialchars($vars['features'] ?? ''); ?>',
+                    location: '<?php echo htmlspecialchars($vars['location'] ?? ''); ?>',
+                    type: '<?php echo htmlspecialchars($vars['type'] ?? ''); ?>',
+                    state: '<?php echo htmlspecialchars($vars['state'] ?? ''); ?>',
+                    disabled: '<?php echo htmlspecialchars($vars['disabled'] ?? ''); ?>',
+                    ignore: '<?php echo htmlspecialchars($vars['ignore'] ?? ''); ?>',
+                    disable_notify: '<?php echo htmlspecialchars($vars['disable_notify'] ?? ''); ?>',
+                    group: '<?php echo htmlspecialchars($vars['group'] ?? ''); ?>',
+                    poller_group: '<?php echo htmlspecialchars($vars['poller_group'] ?? ''); ?>',
+                    device_id: '<?php echo htmlspecialchars($vars['device_id'] ?? ''); ?>',
                 };
             },
             url: "<?php echo url('/ajax/table/device') ?>"
@@ -372,7 +372,7 @@ if ($format == 'graph') {
             "<form method='post' action='' class='form-inline devices-search-header' role='form'>" +
             "<?php echo addslashes(csrf_field()) ?>"+
             "<div class='form-group'>" +
-            "<input type='text' name='searchquery' id='searchquery' value='<?php echo $vars['searchquery'] ?? ''; ?>' class='form-control' placeholder='Search'>" +
+            "<input type='text' name='searchquery' id='searchquery' value='<?php echo htmlspecialchars($vars['searchquery'] ?? ''); ?>' class='form-control' placeholder='Search'>" +
             "</div>" +
             "<div class='form-group'><?php echo $state_selection ?></div>" +
             "<div class='form-group'><select name='os' id='os' class='form-control'></select></div>" +
diff --git a/includes/html/pages/services.inc.php b/includes/html/pages/services.inc.php
index 0207a176de..26c563c6fc 100644
--- a/includes/html/pages/services.inc.php
+++ b/includes/html/pages/services.inc.php
@@ -134,7 +134,7 @@ require_once 'includes/html/modal/delete_service.inc.php';
                 foreach (dbFetchRows($host_sql, $host_par) as $device) {
                     $device_id = $device['device_id'];
                     $device_hostname = $device['hostname'];
-                    $device_sysName = $device['sysName'];
+                    $device_sysName = htmlspecialchars($device['sysName']);
                     $devlink = generate_device_link($device, null, ['tab' => 'services']);
                     if ($shift == 1) {
                         array_unshift($sql_param, $device_id);
diff --git a/includes/html/table/alerts.inc.php b/includes/html/table/alerts.inc.php
index 2a02f0cd2b..22c0befbfa 100644
--- a/includes/html/table/alerts.inc.php
+++ b/includes/html/table/alerts.inc.php
@@ -194,7 +194,7 @@ foreach (dbFetchRows($sql, $param) as $alert) {
         'details' => '<a class="fa-solid fa-plus incident-toggle" style="display:none" data-toggle="collapse" data-target="#incident' . $alert['id'] . '" data-parent="#alerts"></a>',
         'verbose_details' => "<button type='button' class='btn btn-alert-details command-alert-details' aria-label='Details' id='alert-details' data-alert_log_id='{$alert_log_id}'><i class='fa-solid fa-circle-info'></i></button>",
         'hostname' => $hostname,
-        'location' => generate_link($alert['location'], ['page' => 'devices', 'location' => $alert['location']]),
+        'location' => generate_link(htmlspecialchars($alert['location']), ['page' => 'devices', 'location' => $alert['location']]),
         'timestamp' => ($alert['timestamp_display'] ? $alert['timestamp_display'] : 'N/A'),
         'severity' => $severity_ico,
         'state' => $alert['state'],