From 4c9d4eefd8064a0285f9718ef38f5617d7f9d6fa Mon Sep 17 00:00:00 2001 From: PipoCanaja <38363551+PipoCanaja@users.noreply.github.com> Date: Sun, 13 Feb 2022 21:54:58 +0100 Subject: [PATCH] XSS fixes (#13780) --- includes/html/forms/add-dashboard.inc.php | 2 +- includes/html/forms/customoid.inc.php | 6 +++--- includes/html/forms/transport-groups.inc.php | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/includes/html/forms/add-dashboard.inc.php b/includes/html/forms/add-dashboard.inc.php index 0e9d357fd1..d33f07c0f4 100644 --- a/includes/html/forms/add-dashboard.inc.php +++ b/includes/html/forms/add-dashboard.inc.php @@ -34,7 +34,7 @@ if (! Auth::check()) { $status = 'error'; $message = 'unknown error'; -$dashboard_name = trim($_REQUEST['dashboard_name']); +$dashboard_name = trim(strip_tags($_REQUEST['dashboard_name'])); if (! empty($dashboard_name) && ($dash_id = dbInsert(['dashboard_name' => $dashboard_name, 'user_id' => Auth::id()], 'dashboards'))) { $status = 'ok'; diff --git a/includes/html/forms/customoid.inc.php b/includes/html/forms/customoid.inc.php index aa10034c36..454925f128 100644 --- a/includes/html/forms/customoid.inc.php +++ b/includes/html/forms/customoid.inc.php @@ -17,9 +17,9 @@ $message = ''; $device_id = $_POST['device_id']; $id = $_POST['ccustomoid_id']; $action = $_POST['action']; -$name = $_POST['name']; -$oid = $_POST['oid']; -$datatype = $_POST['datatype']; +$name = strip_tags($_POST['name']); +$oid = strip_tags($_POST['oid']); +$datatype = strip_tags($_POST['datatype']); if (empty(($_POST['unit']))) { $unit = ['NULL']; } else { diff --git a/includes/html/forms/transport-groups.inc.php b/includes/html/forms/transport-groups.inc.php index 62dae3cd68..535c137304 100644 --- a/includes/html/forms/transport-groups.inc.php +++ b/includes/html/forms/transport-groups.inc.php @@ -35,7 +35,7 @@ $status = 'ok'; $message = ''; $group_id = $vars['group_id']; -$name = $vars['name']; +$name = strip_tags($vars['name']); $target_members = []; foreach ((array) $vars['members'] as $target) {