diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2010-11-12 11:36:13 -0500 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2010-11-12 11:36:20 -0500 |
commit | dd5bf424c155922b065b45e64733bdf8de620c0f (patch) | |
tree | 1b22756ce120544141edc9d3f2159037b955c2bc | |
parent | 4656943e59eb19a534c06cc253e266da6c52e915 (diff) | |
download | pfsense-dd5bf424c155922b065b45e64733bdf8de620c0f.zip pfsense-dd5bf424c155922b065b45e64733bdf8de620c0f.tar.gz |
Fix XSS issues
37 files changed, 144 insertions, 145 deletions
diff --git a/usr/local/www/diag_authentication.php b/usr/local/www/diag_authentication.php index 19c0d69..a8f897c 100755 --- a/usr/local/www/diag_authentication.php +++ b/usr/local/www/diag_authentication.php @@ -105,13 +105,13 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Username"); ?></td> <td width="78%" class="vtable"> - <input class="formfld unknown" size='20' id='username' name='username' value='<?=$pconfig['username'];?>' /> + <input class="formfld unknown" size='20' id='username' name='username' value='<?=htmlspecialchars($pconfig['username']);?>' /> </td> </tr> <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Password"); ?></td> <td width="78%" class="vtable"> - <input class="formfld pwd" type='password' size='20' id='password' name='password' value='<?=$pconfig['password'];?>' /> + <input class="formfld pwd" type='password' size='20' id='password' name='password' value='<?=htmlspecialchars($pconfig['password']);?>' /> </td> </tr> <tr> diff --git a/usr/local/www/diag_smart.php b/usr/local/www/diag_smart.php index 11aae90..05239fa 100644 --- a/usr/local/www/diag_smart.php +++ b/usr/local/www/diag_smart.php @@ -208,7 +208,7 @@ switch($action) <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Email Address"); ?></td> <td width="78%" class="vtable"> - <input type="text" name="smartmonemail" value="<?=$pconfig['smartmonemail']?>"/> + <input type="text" name="smartmonemail" value="<?=htmlspecialchars($pconfig['smartmonemail'])?>"/> </td> </tr> <tr> diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php index 3ae4cc3..ab90a5a 100755 --- a/usr/local/www/firewall_aliases_edit.php +++ b/usr/local/www/firewall_aliases_edit.php @@ -569,7 +569,7 @@ EOD; <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td> <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" /> <br /> <span class="vexpl"> <?=gettext("You may enter a description here for your reference (not parsed)."); ?> diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index e27053c..d216a98 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -834,7 +834,7 @@ include("fbegin.inc"); ?> <script language="JavaScript"> <!-- ext_change(); - dst_change(document.iform.interface.value,'<?=$pconfig['interface']?>','<?=$pconfig['dst']?>'); + dst_change(document.iform.interface.value,'<?=htmlspecialchars($pconfig['interface'])?>','<?=htmlspecialchars($pconfig['dst'])?>'); var iface_old = document.iform.interface.value; typesel_change(); proto_change(); diff --git a/usr/local/www/firewall_rules.php b/usr/local/www/firewall_rules.php index ccf1e58..3ece034 100755 --- a/usr/local/www/firewall_rules.php +++ b/usr/local/www/firewall_rules.php @@ -371,7 +371,7 @@ if($_REQUEST['undodrag']) { <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?gettext("delete selected rules"); ?>" border="0"><?php else: ?> <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected rules");?>" onclick="return confirm('<?=gettext('Do you really want to delete the selected rules?');?>')"><?php endif; ?> </td> - <td align="center" valign="middle"><a href="firewall_rules_edit.php?if=<?=$if;?>&after=-1"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new rule");?>" width="17" height="17" border="0"></a></td> + <td align="center" valign="middle"><a href="firewall_rules_edit.php?if=<?=htmlspecialchars($if);?>&after=-1"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new rule");?>" width="17" height="17" border="0"></a></td> </tr> </table> </td> @@ -426,7 +426,7 @@ if($_REQUEST['undodrag']) { <table border="0" cellspacing="0" cellpadding="1"> <tr> <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_left_d.gif" width="17" height="17" title="<?=gettext("move selected rules before this rule");?>"></td> - <td><a href="interfaces.php?if=<?=$if?>#rfc1918"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit rule");?>" width="17" height="17" border="0"></a></td> + <td><a href="interfaces.php?if=<?=htmlspecialchars($if)?>#rfc1918"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit rule");?>" width="17" height="17" border="0"></a></td> </tr> <tr> <td align="center" valign="middle"></td> @@ -454,7 +454,7 @@ if($_REQUEST['undodrag']) { <table border="0" cellspacing="0" cellpadding="1"> <tr> <td><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_left_d.gif" width="17" height="17" title="<?=gettext("move selected rules before this rule");?>"></td> - <td><a href="interfaces.php?if=<?=$if?>#rfc1918"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit rule");?>" width="17" height="17" border="0"></a></td> + <td><a href="interfaces.php?if=<?=htmlspecialchars($if)?>#rfc1918"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit rule");?>" width="17" height="17" border="0"></a></td> </tr> <tr> <td align="center" valign="middle"></td> @@ -497,7 +497,7 @@ if($_REQUEST['undodrag']) { $textss = $textse = ""; } ?> - <a href="?if=<?=$if;?>&act=toggle&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_<?=$iconfn;?>.gif" width="11" height="11" border="0" title="<?=gettext("click to toggle enabled/disabled status");?>"></a> + <a href="?if=<?=htmlspecialchars($if);?>&act=toggle&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_<?=$iconfn;?>.gif" width="11" height="11" border="0" title="<?=gettext("click to toggle enabled/disabled status");?>"></a> <?php if (isset($filterent['log'])): $iconfnlog = "log_s"; if (isset($filterent['disabled'])) @@ -721,7 +721,7 @@ if($_REQUEST['undodrag']) { <td><a href="firewall_rules_edit.php?id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" title="<?=gettext("edit rule"); ?>" width="17" height="17" border="0"></a></td> </tr> <tr> - <td align="center" valign="middle"><a href="firewall_rules.php?act=del&if=<?=$if;?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("delete rule"); ?>" onclick="return confirm('Do you really want to delete this rule?')"></a></td> + <td align="center" valign="middle"><a href="firewall_rules.php?act=del&if=<?=htmlspecialchars($if);?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("delete rule"); ?>" onclick="return confirm('Do you really want to delete this rule?')"></a></td> <td><a href="firewall_rules_edit.php?dup=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new rule based on this one"); ?>" width="17" height="17" border="0"></a></td> </tr> </table> @@ -736,7 +736,7 @@ if($_REQUEST['undodrag']) { <span class="gray"> <?=gettext("No rules are currently defined for this interface"); ?><br> <?=gettext("All incoming connections on this interface will be blocked until you add pass rules."); ?><br><br> - <?=gettext("Click the"); ?> <a href="firewall_rules_edit.php?if=<?=$if;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new rule");?>" border="0" width="17" height="17" align="absmiddle"></a><?=gettext(" button to add a new rule.");?></span> + <?=gettext("Click the"); ?> <a href="firewall_rules_edit.php?if=<?=htmlspecialchars($if);?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new rule");?>" border="0" width="17" height="17" align="absmiddle"></a><?=gettext(" button to add a new rule.");?></span> </td> <?php endif; ?> <tr id="fr<?=$nrules;?>"> @@ -765,7 +765,7 @@ if($_REQUEST['undodrag']) { <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?=gettext("delete selected rules");?>" border="0"><?php else: ?> <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected rules");?>" onclick="return confirm('<?=gettext('Do you really want to delete the selected rules?');?>')"><?php endif; ?> </td> - <td><a href="firewall_rules_edit.php?if=<?=$if;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new rule");?>" width="17" height="17" border="0"></a></td> + <td><a href="firewall_rules_edit.php?if=<?=htmlspecialchars($if);?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add new rule");?>" width="17" height="17" border="0"></a></td> </tr> </table> </td> @@ -822,7 +822,7 @@ if($_REQUEST['undodrag']) { </td> </tr> </table> - <input type="hidden" name="if" value="<?=$if;?>"> + <input type="hidden" name="if" value="<?=htmlspecialchars($if);?>"> <script type="text/javascript"> var number_of_rules = <?=$nrules?>; <?php $nrules = 0; for ($i = 0; isset($a_filter[$i]); $i++): ?> @@ -844,7 +844,7 @@ if($_REQUEST['undodrag']) { $('redboxtable').hide(); $('loading').show(); document.body.style.cursor = 'wait'; - document.location = 'firewall_rules.php?if=<?=$if?>&dragdroporder=true&' + Sortable.serialize('dragtable', 'tr'); + document.location = 'firewall_rules.php?if=<?=htmlspecialchars($if);?>&dragdroporder=true&' + Sortable.serialize('dragtable', 'tr'); return; } $('loading').hide(); diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 6d038a6..dfd94e6 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -837,7 +837,7 @@ include("head.inc"); <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcbeginport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo $pconfig['srcbeginport']; ?>"> + <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="srcbeginport_cust" id="srcbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcbeginport']) echo htmlspecialchars($pconfig['srcbeginport']); ?>"> </td> </tr> <tr> @@ -850,7 +850,7 @@ include("head.inc"); <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['srcendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo $pconfig['srcendport']; ?>"> + <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="srcendport_cust" id="srcendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['srcendport']) echo htmlspecialchars($pconfig['srcendport']); ?>"> </td> </tr> </table> @@ -928,7 +928,7 @@ include("head.inc"); <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstbeginport']) { echo "selected"; $bfound = 1; }?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo $pconfig['dstbeginport']; ?>"> + <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="dstbeginport_cust" id="dstbeginport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstbeginport']) echo htmlspecialchars($pconfig['dstbeginport']); ?>"> </td> </tr> <tr> @@ -941,7 +941,7 @@ include("head.inc"); <option value="<?=$wkport;?>" <?php if ($wkport == $pconfig['dstendport']) { echo "selected"; $bfound = 1; } ?>><?=htmlspecialchars($wkportdesc);?></option> <?php endforeach; ?> </select> - <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo $pconfig['dstendport']; ?>"> + <input <?=$edit_disabled;?> autocomplete='off' class="formfldalias" name="dstendport_cust" id="dstendport_cust" type="text" size="5" value="<?php if (!$bfound && $pconfig['dstendport']) echo htmlspecialchars($pconfig['dstendport']); ?>"> </td> </tr> </table> @@ -1058,11 +1058,11 @@ include("head.inc"); <input name="tagged" id="tagged" value="<?=htmlspecialchars($pconfig['tagged']);?>"> <br /><span class="vexpl"><?=gettext("You can match packet on a mark placed before on another rule.")?> </span> <p> - <input name="max" id="max" value="<?php echo $pconfig['max'] ?>"><br><?=gettext(" Maximum state entries this rule can create");?></p><p> - <input name="max-src-nodes" id="max-src-nodes" value="<?php echo $pconfig['max-src-nodes'] ?>"><br><?=gettext(" Maximum number of unique source hosts");?></p><p> - <input name="max-src-conn" id="max-src-conn" value="<?php echo $pconfig['max-src-conn'] ?>"><br><?=gettext(" Maximum number of established connections per host");?></p><p> - <input name="max-src-states" id="max-src-states" value="<?php echo $pconfig['max-src-states'] ?>"><br><?=gettext(" Maximum state entries per host");?></p><p> - <input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo $pconfig['max-src-conn-rate'] ?>"> / + <input name="max" id="max" value="<?php echo htmlspecialchars($pconfig['max']) ?>"><br><?=gettext(" Maximum state entries this rule can create");?></p><p> + <input name="max-src-nodes" id="max-src-nodes" value="<?php echo htmlspecialchars($pconfig['max-src-nodes']) ?>"><br><?=gettext(" Maximum number of unique source hosts");?></p><p> + <input name="max-src-conn" id="max-src-conn" value="<?php echo htmlspecialchars($pconfig['max-src-conn']) ?>"><br><?=gettext(" Maximum number of established connections per host");?></p><p> + <input name="max-src-states" id="max-src-states" value="<?php echo htmlspecialchars($pconfig['max-src-states']) ?>"><br><?=gettext(" Maximum state entries per host");?></p><p> + <input name="max-src-conn-rate" id="max-src-conn-rate" value="<?php echo htmlspecialchars($pconfig['max-src-conn-rate']) ?>"> / <select name="max-src-conn-rates" id="max-src-conn-rates"> <option value=""<?php if(intval($pconfig['max-src-conn-rates']) < 1) echo " selected"; ?>></option> <?php for($x=1; $x<255; $x++) { @@ -1073,7 +1073,7 @@ include("head.inc"); <?=gettext("Maximum new connections / per second(s)");?> </p><p> - <input name="statetimeout" value="<?php echo $pconfig['statetimeout'] ?>"><br> + <input name="statetimeout" value="<?php echo htmlspecialchars($pconfig['statetimeout']) ?>"><br> <?=gettext("State Timeout in seconds");?> </p> diff --git a/usr/local/www/firewall_shaper_layer7.php b/usr/local/www/firewall_shaper_layer7.php index a73506d..56e36d0 100755 --- a/usr/local/www/firewall_shaper_layer7.php +++ b/usr/local/www/firewall_shaper_layer7.php @@ -77,14 +77,14 @@ if($_GET['reset'] <> "") { if ($_GET) { if ($_GET['container']) - $name = trim($_GET['container']); + $name = htmlspecialchars(trim($_GET['container'])); if ($_GET['action']) - $action = $_GET['action']; + $action = htmlspecialchars($_GET['action']); } if($_POST) { if ($_POST['container']) { - $name = trim($_POST['container']); + $name = htmlspecialchars(trim($_POST['container'])); } } @@ -93,7 +93,6 @@ if ($name) { $container = $layer7_rules_list[$name]; } - if ($_GET) { switch ($action) { case "add": diff --git a/usr/local/www/firewall_shaper_queues.php b/usr/local/www/firewall_shaper_queues.php index ac3213a..32cf251 100755 --- a/usr/local/www/firewall_shaper_queues.php +++ b/usr/local/www/firewall_shaper_queues.php @@ -69,11 +69,11 @@ $tree .= "</ul>"; if ($_GET) { if ($_GET['queue']) - $qname = trim($_GET['queue']); + $qname = htmlspecialchars(trim($_GET['queue'])); if ($_GET['interface']) - $interface = trim($_GET['interface']); + $interface = htmlspecialchars(trim($_GET['interface'])); if ($_GET['action']) - $action = $_GET['action']; + $action = htmlspecialchars($_GET['action']); switch ($action) { case "delete": diff --git a/usr/local/www/interfaces.php b/usr/local/www/interfaces.php index 7e016f9..450401b 100755 --- a/usr/local/www/interfaces.php +++ b/usr/local/www/interfaces.php @@ -2035,9 +2035,9 @@ $types = array("none" => gettext("None"), "static" => gettext("Static"), "dhcp" <input id="cancel" type="button" class="formbtn" value="<?=gettext("Cancel"); ?>" onclick="history.back()"> <input name="if" type="hidden" id="if" value="<?=$if;?>"> <?php if ($wancfg['if'] == $a_ppps[$pppid]['if']) : ?> - <input name="ppp_port" type="hidden" value="<?=$pconfig['port'];?>"> + <input name="ppp_port" type="hidden" value="<?=htmlspecialchars($pconfig['port']);?>"> <?php endif; ?> - <input name="ptpid" type="hidden" value="<?=$pconfig['ptpid'];?>"> + <input name="ptpid" type="hidden" value="<?=htmlspecialchars($pconfig['ptpid']);?>"> </td> </tr> </table> diff --git a/usr/local/www/interfaces_bridge_edit.php b/usr/local/www/interfaces_bridge_edit.php index 0892445..06d5b94 100644 --- a/usr/local/www/interfaces_bridge_edit.php +++ b/usr/local/www/interfaces_bridge_edit.php @@ -268,7 +268,7 @@ function show_source_port_range() { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Description"); ?></td> <td width="78%" class="vtable"> - <input type="text" name="descr" id="descr" class="formfld unknown" size="50" value="<?=$pconfig['descr'];?>"> + <input type="text" name="descr" id="descr" class="formfld unknown" size="50" value="<?=htmlspecialchars($pconfig['descr']);?>"> </td> </tr> <tr id="sprtable" name="sprtable"> @@ -321,7 +321,7 @@ function show_source_port_range() { </td></tr> <tr><td valign="top" class="vncell" width="20%"><?=gettext("Valid time"); ?></td> <td class="vtable" width="80%"> - <input name="maxage" type="text" class="formfld unkown" id="maxage" size="8" value="<?=$pconfig['maxage'];?>"> <?=gettext("seconds"); ?> + <input name="maxage" type="text" class="formfld unkown" id="maxage" size="8" value="<?=htmlspecialchars($pconfig['maxage']);?>"> <?=gettext("seconds"); ?> <br/> <span class="vexpl"> <?=gettext("Set the time that a Spanning Tree Protocol configuration is " . @@ -331,7 +331,7 @@ function show_source_port_range() { </td></tr> <tr><td valign="top" class="vncell" width="20%"><?=gettext("Forward time"); ?> </td> <td class="vtable" width="80%"> - <input name="fwdelay" type="text" class="formfld unkown" id="fwdelay" size="8" value="<?=$pconfig['fwdelay'];?>"> <?=gettext("seconds"); ?> + <input name="fwdelay" type="text" class="formfld unkown" id="fwdelay" size="8" value="<?=htmlspecialchars($pconfig['fwdelay']);?>"> <?=gettext("seconds"); ?> <br/> <span class="vexpl"> <?=gettext("Set the time that must pass before an interface begins forwarding " . @@ -340,7 +340,7 @@ function show_source_port_range() { </td></tr> <tr><td valign="top" class="vncell" width="20%"><?=gettext("Hello time"); ?></td> <td class="vtable" width="80%"> - <input name="hellotime" type="text" class="formfld unkown" size="8" id="hellotime" value="<?=$pconfig['hellotime'];?>"> <?=gettext("seconds"); ?> + <input name="hellotime" type="text" class="formfld unkown" size="8" id="hellotime" value="<?=htmlspecialchars($pconfig['hellotime']);?>"> <?=gettext("seconds"); ?> <br/> <span class="vexpl"> <?=gettext("Set the time between broadcasting of Spanning Tree Protocol configuration messages. The hello time may only be changed when " . @@ -349,7 +349,7 @@ function show_source_port_range() { </td></tr> <tr><td valign="top" class="vncell" width="20%"><?=gettext("Priority"); ?></td> <td class="vtable" width="80%"> - <input name="priority" type="text" class="formfld unkown" id="priority" value="<?=$pconfig['priority'];?>"> + <input name="priority" type="text" class="formfld unkown" id="priority" value="<?=htmlspecialchars($pconfig['priority']);?>"> <br/> <span class="vexpl"> <?=gettext("Set the bridge priority for Spanning Tree. The default is 32768. " . @@ -358,7 +358,7 @@ function show_source_port_range() { </td></tr> <tr><td valign="top" class="vncell" width="20%"><?=gettext("Hold count"); ?></td> <td class="vtable" width="80%"> - <input name="holdcnt" type="text" class="formfld unkown" id="holdcnt" value="<?=$pconfig['holdcnt'];?>"> + <input name="holdcnt" type="text" class="formfld unkown" id="holdcnt" value="<?=htmlspecialchars($pconfig['holdcnt']);?>"> <br/> <span class="vexpl"> <?=gettext("Set the transmit hold count for Spanning Tree. This is the num- " . @@ -399,7 +399,7 @@ function show_source_port_range() { <tr style="display:none" id="sprtable2" name="sprtable2"> <td valign="top" class="vncell"><?=gettext("Cache size"); ?></td> <td class="vtable"> - <input name="maxaddr" size="10" type="text" class="formfld unkown" id="maxaddr" value="<?=$pconfig['maxaddr'];?>"> <?=gettext("entries"); ?> + <input name="maxaddr" size="10" type="text" class="formfld unkown" id="maxaddr" value="<?=htmlspecialchars($pconfig['maxaddr']);?>"> <?=gettext("entries"); ?> <br/><span class="vexpl"> <?=gettext("Set the size of the bridge address cache to size. The default is " . ".100 entries."); ?> @@ -409,7 +409,7 @@ function show_source_port_range() { <tr style="display:none" id="sprtable3" name="sprtable3"> <td valign="top" class="vncell"><?=gettext("Cache entry expire time"); ?></td> <td> - <input name="timeout" type="text" class="formfld unkown" id="timeout" size="10" value="<?=$pconfig['timeout'];?>"> <?=gettext("seconds"); ?> + <input name="timeout" type="text" class="formfld unkown" id="timeout" size="10" value="<?=htmlspecialchars($pconfig['timeout']);?>"> <?=gettext("seconds"); ?> <br/><span class="vexpl"> <?=gettext("Set the timeout of address cache entries to this number of seconds. If " . "seconds is zero, then address cache entries will not be expired. " . @@ -575,7 +575,7 @@ function show_source_port_range() { <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input type="hidden" name="bridgeif" value="<?=$pconfig['bridgeif']; ?>"> + <input type="hidden" name="bridgeif" value="<?=htmlspecialchars($pconfig['bridgeif']); ?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> <input type="button" value="<?=gettext("Cancel"); ?>" onclick="history.back()"> <?php if (isset($id) && $a_bridges[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> diff --git a/usr/local/www/interfaces_gif_edit.php b/usr/local/www/interfaces_gif_edit.php index e650149..efbf036 100644 --- a/usr/local/www/interfaces_gif_edit.php +++ b/usr/local/www/interfaces_gif_edit.php @@ -150,21 +150,21 @@ include("head.inc"); <tr> <td valign="top" class="vncellreq"><?=gettext("gif remote address"); ?></td> <td class="vtable"> - <input name="remote-addr" type="text" class="formfld unknown" id="remote-addr" size="16" value="<?=$pconfig['remote-addr'];?>"> + <input name="remote-addr" type="text" class="formfld unknown" id="remote-addr" size="16" value="<?=htmlspecialchars($pconfig['remote-addr']);?>"> <br> <span class="vexpl"><?=gettext("Peer address where encapsulated gif packets will be sent. "); ?></span></td> </tr> <tr> <td valign="top" class="vncellreq"><?=gettext("gif tunnel local address"); ?></td> <td class="vtable"> - <input name="tunnel-local-addr" type="text" class="formfld unknown" id="tunnel-local-addr" size="16" value="<?=$pconfig['tunnel-local-addr'];?>"> + <input name="tunnel-local-addr" type="text" class="formfld unknown" id="tunnel-local-addr" size="16" value="<?=htmlspecialchars($pconfig['tunnel-local-addr']);?>"> <br> <span class="vexpl"><?=gettext("Local gif tunnel endpoint"); ?></span></td> </tr> <tr> <td valign="top" class="vncellreq"><?=gettext("gif tunnel remote address "); ?></td> <td class="vtable"> - <input name="tunnel-remote-addr" type="text" class="formfld unknown" id="tunnel-remote-addr" size="16" value="<?=$pconfig['tunnel-remote-addr'];?>"> + <input name="tunnel-remote-addr" type="text" class="formfld unknown" id="tunnel-remote-addr" size="16" value="<?=htmlspecialchars($pconfig['tunnel-remote-addr']);?>"> <select name="tunnel-remote-net" class="formselect" id="tunnel-remote-net"> <?php for ($i = 32; $i > 0; $i--) { @@ -206,7 +206,7 @@ include("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input type="hidden" name="gifif" value="<?=$pconfig['gifif']; ?>"> + <input type="hidden" name="gifif" value="<?=htmlspecialchars($pconfig['gifif']); ?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> <input type="button" value="<?=gettext("Cancel"); ?>" onclick="history.back()"> <?php if (isset($id) && $a_gifs[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> diff --git a/usr/local/www/interfaces_gre_edit.php b/usr/local/www/interfaces_gre_edit.php index fe1962b..f0f0a84 100644 --- a/usr/local/www/interfaces_gre_edit.php +++ b/usr/local/www/interfaces_gre_edit.php @@ -153,21 +153,21 @@ include("head.inc"); <tr> <td valign="top" class="vncellreq"><?=gettext("GRE remote address");?></td> <td class="vtable"> - <input name="remote-addr" type="text" class="formfld unknown" id="remote-addr" size="16" value="<?=$pconfig['remote-addr'];?>"> + <input name="remote-addr" type="text" class="formfld unknown" id="remote-addr" size="16" value="<?=htmlspecialchars($pconfig['remote-addr']);?>"> <br> <span class="vexpl"><?=gettext("Peer address where encapsulated GRE packets will be sent ");?></span></td> </tr> <tr> <td valign="top" class="vncellreq"><?=gettext("GRE tunnel local address ");?></td> <td class="vtable"> - <input name="tunnel-local-addr" type="text" class="formfld unknown" id="tunnel-local-addr" size="16" value="<?=$pconfig['tunnel-local-addr'];?>"> + <input name="tunnel-local-addr" type="text" class="formfld unknown" id="tunnel-local-addr" size="16" value="<?=htmlspecialchars($pconfig['tunnel-local-addr']);?>"> <br> <span class="vexpl"><?=gettext("Local GRE tunnel endpoint");?></span></td> </tr> <tr> <td valign="top" class="vncellreq"><?=gettext("GRE tunnel remote address ");?></td> <td class="vtable"> - <input name="tunnel-remote-addr" type="text" class="formfld unknown" id="tunnel-remote-addr" size="16" value="<?=$pconfig['tunnel-remote-addr'];?>"> + <input name="tunnel-remote-addr" type="text" class="formfld unknown" id="tunnel-remote-addr" size="16" value="<?=htmlspecialchars($pconfig['tunnel-remote-addr']);?>"> <select name="tunnel-remote-net" class="formselect" id="tunnel-remote-net"> <?php for ($i = 32; $i > 0; $i--) { @@ -218,7 +218,7 @@ include("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input type="hidden" name="greif" value="<?=$pconfig['greif']; ?>"> + <input type="hidden" name="greif" value="<?=htmlspecialchars($pconfig['greif']); ?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> <input type="button" value="<?=gettext("Cancel");?>" onclick="history.back()"> <?php if (isset($id) && $a_gres[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> diff --git a/usr/local/www/interfaces_groups_edit.php b/usr/local/www/interfaces_groups_edit.php index 194dfa0..4196ad8 100755 --- a/usr/local/www/interfaces_groups_edit.php +++ b/usr/local/www/interfaces_groups_edit.php @@ -251,7 +251,7 @@ function removeRow(el) { <tr> <td valign="top" class="vncellreq"><?=gettext("Group Name");?></td> <td class="vtable"> - <input class="formfld unknown" name="ifname" id="ifname" value="<?=$pconfig['ifname'];?>" /> + <input class="formfld unknown" name="ifname" id="ifname" value="<?=htmlspecialchars($pconfig['ifname']);?>" /> <br /> <?=gettext("No numbers or spaces are allowed. Only characters in a-zA-Z");?> </td> @@ -259,7 +259,7 @@ function removeRow(el) { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Description");?></td> <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" /> <br /> <span class="vexpl"> <?=gettext("You may enter a description here for your reference (not parsed).");?> diff --git a/usr/local/www/interfaces_lagg_edit.php b/usr/local/www/interfaces_lagg_edit.php index 27610c8..b65597c 100644 --- a/usr/local/www/interfaces_lagg_edit.php +++ b/usr/local/www/interfaces_lagg_edit.php @@ -205,7 +205,7 @@ include("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input type="hidden" name="laggif" value="<?=$pconfig['laggif']; ?>"> + <input type="hidden" name="laggif" value="<?=htmlspecialchars($pconfig['laggif']); ?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> <input type="button" value="<?=gettext("Cancel"); ?>" onclick="history.back()"> <?php if (isset($id) && $a_laggs[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> diff --git a/usr/local/www/interfaces_qinq_edit.php b/usr/local/www/interfaces_qinq_edit.php index 7ab5a19..52289ba 100755 --- a/usr/local/www/interfaces_qinq_edit.php +++ b/usr/local/www/interfaces_qinq_edit.php @@ -307,7 +307,7 @@ function removeRow(el) { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("First level tag");?></td> <td width="78%" class="vtable"> - <input name="tag" type="text" class="formfld unknown" id="tag" size="10" value="<?=$pconfig['tag'];?>" /> + <input name="tag" type="text" class="formfld unknown" id="tag" size="10" value="<?=htmlspecialchars($pconfig['tag']);?>" /> <br /> <span class="vexpl"> <?=gettext("This is the first level VLAN tag. On top of this are stacked the member VLANs defined below.");?> @@ -336,7 +336,7 @@ function removeRow(el) { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Description");?></td> <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" /> <br /> <span class="vexpl"> <?=gettext("You may enter a description here for your reference (not parsed).");?> diff --git a/usr/local/www/interfaces_vlan_edit.php b/usr/local/www/interfaces_vlan_edit.php index 6a84932..447722a 100755 --- a/usr/local/www/interfaces_vlan_edit.php +++ b/usr/local/www/interfaces_vlan_edit.php @@ -172,7 +172,7 @@ include("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input type="hidden" name="vlanif" value="<?=$pconfig['vlanif']; ?>"> + <input type="hidden" name="vlanif" value="<?=htmlspecialchars($pconfig['vlanif']); ?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> <input type="button" value="<?=gettext("Cancel");?>" onclick="history.back()"> <?php if (isset($id) && $a_vlans[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> diff --git a/usr/local/www/interfaces_wireless_edit.php b/usr/local/www/interfaces_wireless_edit.php index 25251e3..686345d 100644 --- a/usr/local/www/interfaces_wireless_edit.php +++ b/usr/local/www/interfaces_wireless_edit.php @@ -191,7 +191,7 @@ include("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input type="hidden" name="cloneif" value="<?=$pconfig['cloneif']; ?>"> + <input type="hidden" name="cloneif" value="<?=htmlspecialchars($pconfig['cloneif']); ?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>"> <input type="button" value="<?=gettext("Cancel");?>" onclick="history.back()"> <?php if (isset($id) && $a_clones[$id]): ?> <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> diff --git a/usr/local/www/load_balancer_relay_action_edit.php b/usr/local/www/load_balancer_relay_action_edit.php index 69bf0e3..390ee17 100755 --- a/usr/local/www/load_balancer_relay_action_edit.php +++ b/usr/local/www/load_balancer_relay_action_edit.php @@ -392,10 +392,10 @@ function num_options() { document.observe("dom:loaded", function() { - updateProtocol('<?=$pconfig['protocol']?>'); - updateDirection('<?=$pconfig['direction']?>'); - updateType('<?=$pconfig['type']?>'); - updateAction('<?=$pconfig['action']?>'); + updateProtocol('<?=htmlspecialchars($pconfig['protocol'])?>'); + updateDirection('<?=htmlspecialchars($pconfig['direction'])?>'); + updateType('<?=htmlspecialchars($pconfig['type'])?>'); + updateAction('<?=htmlspecialchars($pconfig['action'])?>'); }); </script> diff --git a/usr/local/www/load_balancer_virtual_server_edit.php b/usr/local/www/load_balancer_virtual_server_edit.php index 9118319..96a557c 100755 --- a/usr/local/www/load_balancer_virtual_server_edit.php +++ b/usr/local/www/load_balancer_virtual_server_edit.php @@ -167,7 +167,7 @@ document.observe("dom:loaded", function() { }); // Go ahead and disable the relay stuff, we'll trigger - updateRelay("<?=$pconfig['mode'];?>"); + updateRelay("<?=htmlspecialchars($pconfig['mode']);?>"); }); @@ -231,7 +231,7 @@ document.observe("dom:loaded", function() { <b><?=gettext("NOTE:"); ?></b> <?=gettext("Please add a pool on the Pools tab to use this feature."); ?> <?php else: ?> <select id="sitedown" name="sitedown"> - <option value=""<?=$pconfig['sitedown'] == '' ? ' selected' : ''?>><?=gettext("none"); ?></option> + <option value=""<?=htmlspecialchars($pconfig['sitedown']) == '' ? ' selected' : ''?>><?=gettext("none"); ?></option> <?php for ($i = 0; isset($config['load_balancer']['lbpool'][$i]); $i++) { $selected = ""; @@ -250,8 +250,8 @@ document.observe("dom:loaded", function() { <tr align="left"> <td width="22%" valign="top" class="vncellreq">Mode</td> <td width="78%" class="vtable" colspan="2"> - <input id="redirect_mode" type="radio" name="mode" value="redirect"<?=$pconfig['mode'] == 'redirect' ? ' checked="checked"': ''?>> Redirect - <input id="relay_mode" type="radio" name="mode" value="relay"<?=$pconfig['mode'] == 'relay' ? ' checked="checked"': ''?>> Relay + <input id="redirect_mode" type="radio" name="mode" value="redirect"<?=htmlspecialchars($pconfig['mode']) == 'redirect' ? ' checked="checked"': ''?>> Redirect + <input id="relay_mode" type="radio" name="mode" value="relay"<?=htmlspecialchars($pconfig['mode']) == 'relay' ? ' checked="checked"': ''?>> Relay <br> </td> diff --git a/usr/local/www/services_dhcp.php b/usr/local/www/services_dhcp.php index 79fc1dc..dae460e 100755 --- a/usr/local/www/services_dhcp.php +++ b/usr/local/www/services_dhcp.php @@ -864,7 +864,7 @@ include("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="if" type="hidden" value="<?=$if;?>"> + <input name="if" type="hidden" value="<?=htmlspecialchars($if);?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save");?>" onclick="enable_change(true)"> </td> </tr> @@ -892,7 +892,7 @@ include("head.inc"); <table border="0" cellspacing="0" cellpadding="1"> <tr> <td valign="middle" width="17"></td> - <td valign="middle"><a href="services_dhcp_edit.php?if=<?=$if;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> </tr> </table> </td> @@ -901,23 +901,23 @@ include("head.inc"); <?php $i = 0; foreach ($a_maps as $mapent): ?> <?php if($mapent['mac'] <> "" or $mapent['ipaddr'] <> ""): ?> <tr> - <td class="listlr" ondblclick="document.location='services_dhcp_edit.php?if=<?=$if;?>&id=<?=$i;?>';"> + <td class="listlr" ondblclick="document.location='services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>&id=<?=$i;?>';"> <?=htmlspecialchars($mapent['mac']);?> </td> - <td class="listr" ondblclick="document.location='services_dhcp_edit.php?if=<?=$if;?>&id=<?=$i;?>';"> + <td class="listr" ondblclick="document.location='services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>&id=<?=$i;?>';"> <?=htmlspecialchars($mapent['ipaddr']);?> </td> - <td class="listr" ondblclick="document.location='services_dhcp_edit.php?if=<?=$if;?>&id=<?=$i;?>';"> + <td class="listr" ondblclick="document.location='services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>&id=<?=$i;?>';"> <?=htmlspecialchars($mapent['hostname']);?> </td> - <td class="listbg" ondblclick="document.location='services_dhcp_edit.php?if=<?=$if;?>&id=<?=$i;?>';"> + <td class="listbg" ondblclick="document.location='services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>&id=<?=$i;?>';"> <?=htmlspecialchars($mapent['descr']);?> </td> <td valign="middle" nowrap class="list"> <table border="0" cellspacing="0" cellpadding="1"> <tr> - <td valign="middle"><a href="services_dhcp_edit.php?if=<?=$if;?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> - <td valign="middle"><a href="services_dhcp.php?if=<?=$if;?>&act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this mapping?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>&id=<?=$i;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="services_dhcp.php?if=<?=htmlspecialchars($if);?>&act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this mapping?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0"></a></td> </tr> </table> </td> @@ -931,7 +931,7 @@ include("head.inc"); <table border="0" cellspacing="0" cellpadding="1"> <tr> <td valign="middle" width="17"></td> - <td valign="middle"><a href="services_dhcp_edit.php?if=<?=$if;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> + <td valign="middle"><a href="services_dhcp_edit.php?if=<?=htmlspecialchars($if);?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0"></a></td> </tr> </table> </td> diff --git a/usr/local/www/services_igmpproxy_edit.php b/usr/local/www/services_igmpproxy_edit.php index f4f74df..2336ea1 100755 --- a/usr/local/www/services_igmpproxy_edit.php +++ b/usr/local/www/services_igmpproxy_edit.php @@ -174,7 +174,7 @@ include("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Description");?></td> <td width="78%" class="vtable"> - <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=$pconfig['descr'];?>" /> + <input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']);?>" /> <br /> <span class="vexpl"> <?=gettext("You may enter a description here for your reference (not parsed).");?> diff --git a/usr/local/www/services_snmp.php b/usr/local/www/services_snmp.php index 8b79c66..0b61bbf 100755 --- a/usr/local/www/services_snmp.php +++ b/usr/local/www/services_snmp.php @@ -274,7 +274,7 @@ function enable_change(whichone) { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Polling Port ");?></td> <td width="78%" class="vtable"> - <input name="pollport" type="text" class="formfld unknown" id="pollport" size="40" value="<?=$pconfig['pollport'] ? htmlspecialchars($pconfig['pollport']) : htmlspecialchars(161);?>"> + <input name="pollport" type="text" class="formfld unknown" id="pollport" size="40" value="<?=htmlspecialchars($pconfig['pollport']) ? htmlspecialchars($pconfig['pollport']) : htmlspecialchars(161);?>"> <br><?=gettext("Enter the port to accept polling events on (default 161)");?></br> </td> </tr> @@ -343,7 +343,7 @@ function enable_change(whichone) { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Trap server port ");?></td> <td width="78%" class="vtable"> - <input name="trapserverport" type="text" class="formfld unknown" id="trapserverport" size="40" value="<?=$pconfig['trapserverport'] ? htmlspecialchars($pconfig['trapserverport']) : htmlspecialchars(162);?>"> + <input name="trapserverport" type="text" class="formfld unknown" id="trapserverport" size="40" value="<?=htmlspecialchars($pconfig['trapserverport']) ? htmlspecialchars($pconfig['trapserverport']) : htmlspecialchars(162);?>"> <br><?=gettext("Enter the port to send the traps to (default 162)");?></br> </td> </tr> diff --git a/usr/local/www/status_captiveportal.php b/usr/local/www/status_captiveportal.php index 8000281..3625e40 100755 --- a/usr/local/www/status_captiveportal.php +++ b/usr/local/www/status_captiveportal.php @@ -120,14 +120,14 @@ if ($_GET['order']) { <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> - <td class="listhdrr"><a href="?order=ip&showact=<?=$_GET['showact'];?>"><?=gettext("IP address");?></a></td> - <td class="listhdrr"><a href="?order=mac&showact=<?=$_GET['showact'];?>"><?=gettext("MAC address");?></a></td> - <td class="listhdrr"><a href="?order=user&showact=<?=$_GET['showact'];?>"><?=gettext("Username");?></a></td> + <td class="listhdrr"><a href="?order=ip&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("IP address");?></a></td> + <td class="listhdrr"><a href="?order=mac&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("MAC address");?></a></td> + <td class="listhdrr"><a href="?order=user&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Username");?></a></td> <?php if ($_GET['showact']): ?> - <td class="listhdrr"><a href="?order=start&showact=<?=$_GET['showact'];?>"><?=gettext("Session start");?></a></td> - <td class="listhdr"><a href="?order=lastact&showact=<?=$_GET['showact'];?>"><?=gettext("Last activity");?></a></td> + <td class="listhdrr"><a href="?order=start&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Session start");?></a></td> + <td class="listhdr"><a href="?order=lastact&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Last activity");?></a></td> <?php else: ?> - <td class="listhdr"><a href="?order=start&showact=<?=$_GET['showact'];?>"><?=gettext("Session start");?></a></td> + <td class="listhdr"><a href="?order=start&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Session start");?></a></td> <?php endif; ?> <td class="list sort_ignore"></td> </tr> @@ -141,7 +141,7 @@ if ($_GET['order']) { <td class="listr"><?php if ($cpent[5]) echo htmlspecialchars(date("m/d/Y H:i:s", $cpent[5]));?></td> <?php endif; ?> <td valign="middle" class="list" nowrap> - <a href="?order=<?=$_GET['order'];?>&showact=<?=$_GET['showact'];?>&act=del&id=<?=$cpent[1];?>" onclick="return confirm('<?=gettext("Do you really want to disconnect this client?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("Disconnect");?>"></a></td> + <a href="?order=<?=$_GET['order'];?>&showact=<?=htmlspecialchars($_GET['showact']);?>&act=del&id=<?=$cpent[1];?>" onclick="return confirm('<?=gettext("Do you really want to disconnect this client?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("Disconnect");?>"></a></td> </tr> <?php endforeach; ?> </table> diff --git a/usr/local/www/status_captiveportal_vouchers.php b/usr/local/www/status_captiveportal_vouchers.php index 39a6f56..4d3afd8 100644 --- a/usr/local/www/status_captiveportal_vouchers.php +++ b/usr/local/www/status_captiveportal_vouchers.php @@ -99,11 +99,11 @@ include("fbegin.inc"); <table width="100%" border="0" cellpadding="0" cellspacing="0" summary="content pane"> <tr> - <td class="listhdrr"><a href="?order=0&showact=<?=$_GET['showact'];?>"><?=gettext("Voucher"); ?></a></td> - <td class="listhdrr"><a href="?order=1&showact=<?=$_GET['showact'];?>"><?=gettext("Roll"); ?></a></td> - <td class="listhdrr"><a href="?order=2&showact=<?=$_GET['showact'];?>"><?=gettext("Activated at"); ?></a></td> - <td class="listhdrr"><a href="?order=3&showact=<?=$_GET['showact'];?>"><?=gettext("Expires in"); ?></a></td> - <td class="listhdr"><a href="?order=4&showact=<?=$_GET['showact'];?>"><?=gettext("Expires at"); ?></a></td> + <td class="listhdrr"><a href="?order=0&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Voucher"); ?></a></td> + <td class="listhdrr"><a href="?order=1&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Roll"); ?></a></td> + <td class="listhdrr"><a href="?order=2&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Activated at"); ?></a></td> + <td class="listhdrr"><a href="?order=3&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Expires in"); ?></a></td> + <td class="listhdr"><a href="?order=4&showact=<?=htmlspecialchars($_GET['showact']);?>"><?=gettext("Expires at"); ?></a></td> <td class="list"></td> </tr> <?php foreach ($db as $dbent): ?> diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index 8a18ed6..fad6b34 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -429,7 +429,7 @@ function select_clicked() { <?php if (!isset($id)): ?> <input name="name" type="text" class="formfld unknown" id="name" size="20" value="<?=htmlspecialchars($pconfig['name']);?>"/> <?php else: ?> - <strong><?=$pconfig[name];?></strong> + <strong><?=htmlspecialchars($pconfig['name']);?></strong> <input name='name' type='hidden' id='name' value="<?=htmlspecialchars($pconfig['name']);?>"/> <?php endif; ?> </td> @@ -742,7 +742,7 @@ function select_clicked() { <?php include("fend.inc"); ?> <script type="text/javascript"> <!-- -server_typechange('<?=$pconfig['type'];?>'); +server_typechange('<?=htmlspecialchars($pconfig['type']);?>'); <?php if (!isset($id) || $pconfig['type'] == "ldap"): ?> ldap_bindchange(); ldap_urlchange(); diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index 8d60553..2662775 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -288,7 +288,7 @@ function method_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate data");?></td> <td width="78%" class="vtable"> - <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_cert"><?=$pconfig['cert'];?></textarea> + <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_cert"><?=htmlspecialchars($pconfig['cert']);?></textarea> <br> <?=gettext("Paste a certificate in X.509 PEM format here.");?></td> </td> @@ -296,7 +296,7 @@ function method_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate Private Key");?><br/><?=gettext("(optional)");?></td> <td width="78%" class="vtable"> - <textarea name="key" id="key" cols="65" rows="7" class="formfld_cert"><?=$pconfig['key'];?></textarea> + <textarea name="key" id="key" cols="65" rows="7" class="formfld_cert"><?=htmlspecialchars($pconfig['key']);?></textarea> <br> <?=gettext("Paste the private key for the above certificate here. This is optional in most cases, but required if you need to generate a Certificate Revocation List (CRL).");?></td> </td> diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index a3395c9..36a11bb 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -457,7 +457,7 @@ function internalca_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Certificate data");?></td> <td width="78%" class="vtable"> - <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_cert"><?=$pconfig['cert'];?></textarea> + <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_cert"><?=htmlspecialchars($pconfig['cert']);?></textarea> <br> <?=gettext("Paste a certificate in X.509 PEM format here.");?></td> </td> @@ -465,7 +465,7 @@ function internalca_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Private key data");?></td> <td width="78%" class="vtable"> - <textarea name="key" id="key" cols="65" rows="7" class="formfld_cert"><?=$pconfig['key'];?></textarea> + <textarea name="key" id="key" cols="65" rows="7" class="formfld_cert"><?=htmlspecialchars($pconfig['key']);?></textarea> <br> <?=gettext("Paste a private key in X.509 PEM format here.");?></td> </td> @@ -758,7 +758,7 @@ function internalca_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Signing Request data");?></td> <td width="78%" class="vtable"> - <textarea name="csr" id="csr" cols="65" rows="7" class="formfld_cert" readonly><?=$pconfig['csr'];?></textarea> + <textarea name="csr" id="csr" cols="65" rows="7" class="formfld_cert" readonly><?=htmlspecialchars($pconfig['csr']);?></textarea> <br> <?=gettext("Copy the certificate signing data from here and forward it to your certificate authority for signing.");?></td> </td> @@ -766,7 +766,7 @@ function internalca_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Final Certificate data");?></td> <td width="78%" class="vtable"> - <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_cert"><?=$pconfig['cert'];?></textarea> + <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_cert"><?=htmlspecialchars($pconfig['cert']);?></textarea> <br> <?=gettext("Paste the certificate received from your cerificate authority here.");?></td> </td> diff --git a/usr/local/www/system_crlmanager.php b/usr/local/www/system_crlmanager.php index cb0276b..d7f7108 100644 --- a/usr/local/www/system_crlmanager.php +++ b/usr/local/www/system_crlmanager.php @@ -344,7 +344,7 @@ function method_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("CRL data");?></td> <td width="78%" class="vtable"> - <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_crl"><?=$pconfig['crltext'];?></textarea> + <textarea name="cert" id="cert" cols="65" rows="7" class="formfld_crl"><?=htmlspecialchars($pconfig['crltext']);?></textarea> <br> <?=gettext("Paste a Certificate Revocation List in X.509 CRL format here.");?></td> </td> diff --git a/usr/local/www/system_groupmanager.php b/usr/local/www/system_groupmanager.php index d3978f0..4bf1c25 100644 --- a/usr/local/www/system_groupmanager.php +++ b/usr/local/www/system_groupmanager.php @@ -262,7 +262,7 @@ function presubmit() { <td width="22%" valign="top" class="vncell"><?=gettext("Defined by");?></td> <td width="78%" class="vtable"> <strong><?=strtoupper($pconfig['gtype']);?></strong> - <input name="gtype" type="hidden" value="<?=$pconfig['gtype']?>"/> + <input name="gtype" type="hidden" value="<?=htmlspecialchars($pconfig['gtype'])?>"/> </td> </tr> <tr> @@ -360,7 +360,7 @@ function presubmit() { <?=htmlspecialchars($priv_list[$priv]['descr']);?> </td> <td valign="middle" nowrap class="list"> - <a href="system_groupmanager.php?act=delpriv&id=<?=$id?>&privid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this privilege?");?>')"> + <a href="system_groupmanager.php?act=delpriv&id=<?=htmlspecialchars($id)?>&privid=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this privilege?");?>')"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="" /> </a> </td> @@ -373,7 +373,7 @@ function presubmit() { <tr> <td class="list" colspan="2"></td> <td class="list"> - <a href="system_groupmanager_addprivs.php?groupid=<?=$id?>"> + <a href="system_groupmanager_addprivs.php?groupid=<?=htmlspecialchars($id)?>"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="" /> </a> @@ -389,8 +389,8 @@ function presubmit() { <td width="78%"> <input name="save" type="submit" class="formbtn" value="<?=gettext("Save");?>"> <?php if (isset($id) && $a_group[$id]): ?> - <input name="id" type="hidden" value="<?=$id;?>"> - <input name="gid" type="hidden" value="<?=$pconfig['gid'];?>"> + <input name="id" type="hidden" value="<?=htmlspecialchars($id);?>"> + <input name="gid" type="hidden" value="<?=htmlspecialchars($pconfig['gid']);?>"> <?php endif; ?> </td> </tr> diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index d4adf9e..9256c40 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -466,7 +466,7 @@ function sshkeyClicked(obj) { <td width="22%" valign="top" class="vncell"><?=gettext("Defined by");?></td> <td width="78%" class="vtable"> <strong><?=strtoupper($pconfig['utype']);?></strong> - <input name="utype" type="hidden" value="<?=$pconfig['utype']?>"/> + <input name="utype" type="hidden" value="<?=htmlspecialchars($pconfig['utype'])?>"/> </td> </tr> <tr> @@ -504,7 +504,7 @@ function sshkeyClicked(obj) { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Expiration date"); ?></td> <td width="78%" class="vtable"> - <input name="expires" type="text" class="formfld unknown" id="expires" size="10" value="<?=$pconfig['expires'];?>"> + <input name="expires" type="text" class="formfld unknown" id="expires" size="10" value="<?=htmlspecialchars($pconfig['expires']);?>"> <a href="javascript:NewCal('expires','mmddyyyy')"> <img src="/themes/<?php echo $g['theme']; ?>/images/icons/icon_cal.gif" width="16" height="16" border="0" alt="<?=gettext("Pick a date");?>"> </a> diff --git a/usr/local/www/vpn_ipsec_keys_edit.php b/usr/local/www/vpn_ipsec_keys_edit.php index 1534bf2..343d0d8 100644 --- a/usr/local/www/vpn_ipsec_keys_edit.php +++ b/usr/local/www/vpn_ipsec_keys_edit.php @@ -127,7 +127,7 @@ include("head.inc"); <tr> <td valign="top" class="vncellreq"><?=gettext("Identifier"); ?></td> <td class="vtable"> - <?=$mandfldhtml;?><input name="ident" type="text" class="formfld unknown" id="ident" size="30" value="<?=$pconfig['ident'];?>"> + <?=$mandfldhtml;?><input name="ident" type="text" class="formfld unknown" id="ident" size="30" value="<?=htmlspecialchars($pconfig['ident']);?>"> <br> <?=gettext("This can be either an IP address, fully qualified domain name or an e-mail address"); ?>. </td> diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 384d34b..4e9c537 100755 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -394,7 +394,7 @@ function login_banner_change() { <tr> <td> <?=gettext("Network"); ?>: - <input name="pool_address" type="text" class="formfld unknown" id="pool_address" size="20" value="<?=$pconfig['pool_address'];?>"> + <input name="pool_address" type="text" class="formfld unknown" id="pool_address" size="20" value="<?=htmlspecialchars($pconfig['pool_address']);?>"> / <select name="pool_netbits" class="formselect" id="pool_netbits"> <?php for ($i = 32; $i >= 0; $i--): ?> @@ -482,25 +482,25 @@ function login_banner_change() { <tr> <td> <?=gettext("Server"); ?> #1: - <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=htmlspecialchars($pconfig['dns_server1']);?>"> </td> </tr> <tr> <td> <?=gettext("Server"); ?> #2: - <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=htmlspecialchars($pconfig['dns_server2']);?>"> </td> </tr> <tr> <td> <?=gettext("Server"); ?> #3: - <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=htmlspecialchars($pconfig['dns_server3']);?>"> </td> </tr> <tr> <td> <?=gettext("Server"); ?> #4: - <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=htmlspecialchars($pconfig['dns_server4']);?>"> </td> </tr> </table> @@ -524,13 +524,13 @@ function login_banner_change() { <tr> <td> <?=gettext("Server"); ?> #1: - <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>"> + <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=htmlspecialchars($pconfig['wins_server1']);?>"> </td> </tr> <tr> <td> <?=gettext("Server"); ?> #2: - <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>"> + <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=htmlspecialchars($pconfig['wins_server2']);?>"> </td> </tr> </table> @@ -584,7 +584,7 @@ function login_banner_change() { <tr> <td> <?php $banner = htmlspecialchars($pconfig['login_banner']); ?> - <textarea name="login_banner" cols="65" rows="7" id="login_banner" class="formpre"><?=$banner;?></textarea> + <textarea name="login_banner" cols="65" rows="7" id="login_banner" class="formpre"><?=htmlspecialchars($banner);?></textarea> </td> </tr> </table> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index c2ba332..c498858 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -527,7 +527,7 @@ function dpdchkbox_change() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Remote gateway"); ?></td> <td width="78%" class="vtable"> - <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=$pconfig['remotegw'];?>"> + <?=$mandfldhtml;?><input name="remotegw" type="text" class="formfld unknown" id="remotegw" size="20" value="<?=htmlspecialchars($pconfig['remotegw']);?>"> <br> <?=gettext("Enter the public IP address or host name of the remote gateway"); ?> </td> @@ -599,7 +599,7 @@ function dpdchkbox_change() { </option> <?php endforeach; ?> </select> - <input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=$pconfig['myid_data'];?>"> + <input name="myid_data" type="text" class="formfld unknown" id="myid_data" size="30" value="<?=htmlspecialchars($pconfig['myid_data']);?>"> </td> </tr> <tr id="opt_peerid"> @@ -616,7 +616,7 @@ function dpdchkbox_change() { </option> <?php endforeach; ?> </select> - <input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=$pconfig['peerid_data'];?>"> + <input name="peerid_data" type="text" class="formfld unknown" id="peerid_data" size="30" value="<?=htmlspecialchars($pconfig['peerid_data']);?>"> <?php if ($pconfig['mobile']) { ?> <br/><br/><?=gettext("NOTE: This is known as the \"group\" setting on some VPN client implementations"); ?>. <?php } ?> @@ -705,7 +705,7 @@ function dpdchkbox_change() { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Lifetime"); ?></td> <td width="78%" class="vtable"> - <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>"> + <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=htmlspecialchars($pconfig['lifetime']);?>"> <?=gettext("seconds"); ?> </td> </tr> @@ -775,13 +775,13 @@ function dpdchkbox_change() { <?=gettext("Enable DPD"); ?><br> <div id="opt_dpd"> <br> - <input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=$pconfig['dpd_delay'];?>"> + <input name="dpd_delay" type="text" class="formfld unknown" id="dpd_delay" size="5" value="<?=htmlspecialchars($pconfig['dpd_delay']);?>"> <?=gettext("seconds"); ?><br> <span class="vexpl"> <?=gettext("Delay between requesting peer acknowledgement"); ?>. </span><br> <br> - <input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=$pconfig['dpd_maxfail'];?>"> + <input name="dpd_maxfail" type="text" class="formfld unknown" id="dpd_maxfail" size="5" value="<?=htmlspecialchars($pconfig['dpd_maxfail']);?>"> <?=gettext("retries"); ?><br> <span class="vexpl"> <?=gettext("Number of consecutive failures allowed before disconnect"); ?>. @@ -799,7 +799,7 @@ function dpdchkbox_change() { <?php if ($pconfig['mobile']): ?> <input name="mobile" type="hidden" value="true"> <?php endif; ?> - <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> + <input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>"> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> </td> </tr> diff --git a/usr/local/www/vpn_ipsec_phase2.php b/usr/local/www/vpn_ipsec_phase2.php index 824ba19..f8d601d 100644 --- a/usr/local/www/vpn_ipsec_phase2.php +++ b/usr/local/www/vpn_ipsec_phase2.php @@ -367,7 +367,7 @@ function change_protocol() { <td><?=gettext("Address:");?> </td> <td><?=$mandfldhtmlspc;?></td> <td> - <input name="localid_address" type="text" class="formfld unknown" id="localid_address" size="20" value="<?=$pconfig['localid_address'];?>"> + <input name="localid_address" type="text" class="formfld unknown" id="localid_address" size="20" value="<?=htmlspecialchars($pconfig['localid_address']);?>"> / <select name="localid_netbits" class="formselect" id="localid_netbits"> <?php for ($i = 32; $i >= 0; $i--): ?> @@ -402,7 +402,7 @@ function change_protocol() { <td><?=gettext("Address"); ?>: </td> <td><?=$mandfldhtmlspc;?></td> <td> - <input name="remoteid_address" type="text" class="formfld unknown" id="remoteid_address" size="20" value="<?=$pconfig['remoteid_address'];?>"> + <input name="remoteid_address" type="text" class="formfld unknown" id="remoteid_address" size="20" value="<?=htmlspecialchars($pconfig['remoteid_address']);?>"> / <select name="remoteid_netbits" class="formselect" id="remoteid_netbits"> <?php for ($i = 32; $i >= 0; $i--) { @@ -536,7 +536,7 @@ function change_protocol() { <select class="formselect" disabled> <option selected><?=$p2_pfskeygroups[$a_client['pfs_group']];?></option> </select> - <input name="pfsgroup" type="hidden" value="<?=$pconfig['pfsgroup'];?>"> + <input name="pfsgroup" type="hidden" value="<?=htmlspecialchars($pconfig['pfsgroup']);?>"> <br> <span class="vexpl"><em><?=gettext("Set globally in mobile client options"); ?></em></span> <?php endif; ?> @@ -545,7 +545,7 @@ function change_protocol() { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Lifetime"); ?></td> <td width="78%" class="vtable"> - <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=$pconfig['lifetime'];?>"> + <input name="lifetime" type="text" class="formfld unknown" id="lifetime" size="20" value="<?=htmlspecialchars($pconfig['lifetime']);?>"> <?=gettext("seconds"); ?> </td> </tr> @@ -558,7 +558,7 @@ function change_protocol() { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Automatically ping host"); ?></td> <td width="78%" class="vtable"> - <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=$pconfig['pinghost'];?>"> + <input name="pinghost" type="text" class="formfld unknown" id="pinghost" size="20" value="<?=htmlspecialchars($pconfig['pinghost']);?>"> <?=gettext("IP address"); ?> </td> </tr> @@ -573,7 +573,7 @@ function change_protocol() { <input name="remoteid_type" type="hidden" value="mobile"> <?php endif; ?> <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Save"); ?>"> - <input name="ikeid" type="hidden" value="<?=$pconfig['ikeid'];?>"> + <input name="ikeid" type="hidden" value="<?=htmlspecialchars($pconfig['ikeid']);?>"> </td> </tr> </table> @@ -584,11 +584,11 @@ function change_protocol() { </form> <script lannguage="JavaScript"> <!-- -change_mode('<?=$pconfig['mode']?>'); -change_protocol('<?=$pconfig['proto']?>'); -typesel_change_local(<?=$pconfig['localid_netbits']?>); +change_mode('<?=htmlspecialchars($pconfig['mode'])?>'); +change_protocol('<?=htmlspecialchars($pconfig['proto'])?>'); +typesel_change_local(<?=htmlspecialchars($pconfig['localid_netbits'])?>); <?php if (!isset($pconfig['mobile'])): ?> -typesel_change_remote(<?=$pconfig['remoteid_netbits']?>); +typesel_change_remote(<?=htmlspecialchars($pconfig['remoteid_netbits'])?>); <?php endif; ?> //--> </script> diff --git a/usr/local/www/vpn_openvpn_client.php b/usr/local/www/vpn_openvpn_client.php index 93eb56c..04bbeb9 100644 --- a/usr/local/www/vpn_openvpn_client.php +++ b/usr/local/www/vpn_openvpn_client.php @@ -809,7 +809,7 @@ if ($savemsg) <table border="0" cellpadding="2" cellspacing="0"> <tr> <td> - <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea><br/> + <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=htmlspecialchars($pconfig['custom_options']);?></textarea><br/> <?=gettext("Enter any additional options you would like to add to the OpenVPN client configuration here, separated by a semicolon"); ?><br/> <?=gettext("EXAMPLE: route 10.0.0.0 255.255.255.0;"); ?> </td> diff --git a/usr/local/www/vpn_openvpn_csc.php b/usr/local/www/vpn_openvpn_csc.php index e23b202..e980332 100644 --- a/usr/local/www/vpn_openvpn_csc.php +++ b/usr/local/www/vpn_openvpn_csc.php @@ -476,7 +476,7 @@ function netbios_change() { <span class="vexpl"> <?=gettext("Server"); ?> #1: </span> - <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=htmlspecialchars($pconfig['dns_server1']);?>"> </td> </tr> <tr> @@ -484,7 +484,7 @@ function netbios_change() { <span class="vexpl"> <?=gettext("Server"); ?> #2: </span> - <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=htmlspecialchars($pconfig['dns_server2']);?>"> </td> </tr> <tr> @@ -492,7 +492,7 @@ function netbios_change() { <span class="vexpl"> <?=gettext("Server"); ?> #3: </span> - <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=htmlspecialchars($pconfig['dns_server3']);?>"> </td> </tr> <tr> @@ -500,7 +500,7 @@ function netbios_change() { <span class="vexpl"> <?=gettext("Server"); ?> #4: </span> - <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=htmlspecialchars($pconfig['dns_server4']);?>"> </td> </tr> </table> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 4f74fd4..7cb4332 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -1099,7 +1099,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #1: </span> - <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=$pconfig['dns_server1'];?>"> + <input name="dns_server1" type="text" class="formfld unknown" id="dns_server1" size="20" value="<?=htmlspecialchars($pconfig['dns_server1']);?>"> </td> </tr> <tr> @@ -1107,7 +1107,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #2: </span> - <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=$pconfig['dns_server2'];?>"> + <input name="dns_server2" type="text" class="formfld unknown" id="dns_server2" size="20" value="<?=htmlspecialchars($pconfig['dns_server2']);?>"> </td> </tr> <tr> @@ -1115,7 +1115,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #3: </span> - <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=$pconfig['dns_server3'];?>"> + <input name="dns_server3" type="text" class="formfld unknown" id="dns_server3" size="20" value="<?=htmlspecialchars($pconfig['dns_server3']);?>"> </td> </tr> <tr> @@ -1123,7 +1123,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #4: </span> - <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=$pconfig['dns_server4'];?>"> + <input name="dns_server4" type="text" class="formfld unknown" id="dns_server4" size="20" value="<?=htmlspecialchars($pconfig['dns_server4']);?>"> </td> </tr> </table> @@ -1151,7 +1151,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #1: </span> - <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=$pconfig['ntp_server1'];?>"> + <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=htmlspecialchars($pconfig['ntp_server1']);?>"> </td> </tr> <tr> @@ -1159,7 +1159,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #2: </span> - <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=$pconfig['ntp_server2'];?>"> + <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=htmlspecialchars($pconfig['ntp_server2']);?>"> </td> </tr> </table> @@ -1247,7 +1247,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #1: </span> - <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>"> + <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=htmlspecialchars($pconfig['wins_server1']);?>"> </td> </tr> <tr> @@ -1255,7 +1255,7 @@ if ($savemsg) <span class="vexpl"> <?=gettext("Server"); ?> #2: </span> - <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>"> + <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=htmlspecialchars($pconfig['wins_server2']);?>"> </td> </tr> </table> @@ -1276,7 +1276,7 @@ if ($savemsg) <table border="0" cellpadding="2" cellspacing="0"> <tr> <td> - <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea><br/> + <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=htmlspecialchars($pconfig['custom_options']);?></textarea><br/> <?=gettext("Enter any additional options you would like to add to the OpenVPN server configuration here, separated by a semicolon"); ?><br/> <?=gettext("EXAMPLE: push \"route 10.0.0.0 255.255.255.0\""); ?>; </td> |