security: Remove possibility of xss in Oxidized and RIPE searches (#6595)

2024-10-07 16:52:45 +00:00 · 2017-05-05 22:16:39 +01:00
parent 6734e84382
commit 868fe44390
3 changed files with 7 additions and 8 deletions
--- a/html/includes/forms/query-ripenccapi.inc.php
+++ b/html/includes/forms/query-ripenccapi.inc.php
@@ -23,10 +23,10 @@ if (isset($data_param) && isset($query_param)) {
    $status  = 'error';
    $message = 'ERROR: Could not query';
 }
-die(json_encode(array(
+die(display(json_encode(array(
     'status'       => $status,
     'message'      => $message,
     'data_param'    => $data_param,
     'query_param'    => $query_param,
-     'output'       => $output
+     'output'       => $output,
-)));
+))));
--- a/html/includes/forms/search-oxidized-config.inc.php
+++ b/html/includes/forms/search-oxidized-config.inc.php
@@ -22,10 +22,9 @@ if (isset($parameters)) {
    $status  = 'error';
    $message = 'ERROR: Could not query';
 }
-
+echo display(_json_encode(array(
 echo _json_encode(array(
     'status'                   => $status,
     'message'                  => $message,
     'search_in_conf_textbox'   => $parameters,
     'output'                   => $output
-));
+)));
--- a/html/pages/oxidized.inc.php
+++ b/html/pages/oxidized.inc.php
@@ -77,8 +77,8 @@ $pagetitle[] = 'Oxidized';
                $("#search-output").show();
                if (data.output)
                    $('#search-output').append('Config appears on the folllowing device(s):<br />');
-                $.each(data.output, function (row, value) {
+                    $.each(data.output, function (row, value) {
-                    $('#search-output').append(value['full_name'] + '<br />');
+                        $('#search-output').append(value['full_name'] + '<br />');
                });
            },
            error: function () {