Use htmlspecialchars() for santitized output

1 files changed, 3 insertions, 3 deletions

diff --git a/usr/local/www/graph.php b/usr/local/www/graph.php
index 14af862..6634ed3 100755
--- a/usr/local/www/graph.php
+++ b/usr/local/www/graph.php
@@ -82,12 +82,12 @@ $attribs['error']='fill="blue" font-family="Arial" font-size="4"';
 $attribs['collect_initial']='fill="gray" font-family="Tahoma, Verdana, Arial, Helvetica, sans-serif" font-size="4"';
 
 //Error text if we cannot fetch data : depends on which method is used
-$error_text = "Cannot get data about interface $ifnum";
+$error_text = "Cannot get data about interface " . htmlspecialchars($ifnum);
 
 $height=100;            //SVG internal height : do not modify
 $width=200;             //SVG internal width : do not modify
 
-$fetch_link = "ifstats.php?if={$ifnum}";
+$fetch_link = "ifstats.php?if=" . htmlspecialchars($ifnum);
 
 /* check for custom theme colors */
 if(file_exists("/usr/local/www/themes/{$g['theme']}/graph.php")) {
@@ -112,7 +112,7 @@ print('<?xml version="1.0" encoding="iso-8859-1"?>' . "\n");?>
     <text id="graph_out_lbl" x="5" y="16" <?=$attribs['out']?>><?=gettext("Out"); ?></text>
     <text id="graph_in_txt" x="20" y="8" <?=$attribs['in']?>> </text>
     <text id="graph_out_txt" x="20" y="16" <?=$attribs['out']?>> </text>
-    <text id="ifname" x="<?=$width?>" y="8" <?=$attribs['graphname']?> text-anchor="end"><?=$ifname?></text>
+    <text id="ifname" x="<?=$width?>" y="8" <?=$attribs['graphname']?> text-anchor="end"><?=htmlspecialchars($ifname)?></text>
     <text id="switch_unit" x="<?=$width*0.55?>" y="5" <?=$attribs['switch_unit']?>><?=gettext("Switch to bytes/s"); ?></text>
     <text id="switch_scale" x="<?=$width*0.55?>" y="11" <?=$attribs['switch_scale']?>><?=gettext("AutoScale"); ?> (<?=$scale_type?>)</text>
     <text id="datetime" x="<?=$width*0.33?>" y="5" <?=$attribs['legend']?>> </text>