Fix Misc XSS issues

1 files changed, 4 insertions, 4 deletions

diff --git a/usr/local/www/diag_dump_states.php b/usr/local/www/diag_dump_states.php
index a2009c9..69d8dfd 100755
--- a/usr/local/www/diag_dump_states.php
+++ b/usr/local/www/diag_dump_states.php
@@ -44,8 +44,8 @@ require_once("guiconfig.inc");
 /* handle AJAX operations */
 if($_GET['action']) {
 	if($_GET['action'] == "remove") {
-		$srcip  = $_GET['srcip'];
-		$dstip  = $_GET['dstip'];
+		$srcip  = escapeshellarg($_GET['srcip']);
+		$dstip  = escapeshellarg($_GET['dstip']);
 		if (is_ipaddr($srcip) and is_ipaddr($dstip)) {
 			$retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'");
 			echo htmlentities("|{$srcip}|{$dstip}|{$retval}|");
@@ -58,7 +58,7 @@ if($_GET['action']) {
 
 /* get our states */
 if($_GET['filter']) {
-	exec("/sbin/pfctl -s state | grep " . escapeshellarg($_GET['filter']), $states);
+	exec("/sbin/pfctl -s state | grep " . escapeshellarg(htmlspecialchars($_GET['filter'])), $states);
 }
 else {
 	exec("/sbin/pfctl -s state", $states);
@@ -135,7 +135,7 @@ include("head.inc");
 					<td><?=gettext("Current state count:");?> <?=$current_statecount?></td>
 					<td style="font-weight:bold;" align="right">
 						<?=gettext("Filter expression:");?>
-						<input type="text" name="filter" class="formfld search" value="<?=$_GET['filter'];?>" size="30" />
+						<input type="text" name="filter" class="formfld search" value="<?=htmlspecialchars($_GET['filter']);?>" size="30" />
 						<input type="submit" class="formbtn" value="<?=gettext("Filter");?>" />
 					<td>
 				</tr>