* escape html entities in network interface settings

the command `ip address show eth0` returns special characters like "<" and ">" which, if left unescaped and shown on the page, will create arbitrary html elements and hide information. * show interface settings inside unstyled pre block interface properties should be parsed and displayed in a proprietary and pretty manner. until then, give use the raw output of `ip address show`
2025-03-01 10:31:47 +00:00 · 2019-07-30 14:10:42 +02:00
parent 1b32ed53d6
commit 3db99c7d21
2 changed files with 4 additions and 1 deletions
--- a/ajax/networking/get_ip_summary.php
+++ b/ajax/networking/get_ip_summary.php
@@ -5,6 +5,7 @@ include_once('../../includes/functions.php');
 if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
    $int = preg_replace('/[^a-z0-9]/','',$_POST['interface']);
    exec('ip a s '.$int,$intOutput,$intResult);
+    $intOutput = array_map('htmlentities', $intOutput);
    $jsonData = ['return'=>$intResult,'output'=>$intOutput];
    echo json_encode($jsonData);
 } else {
--- a/includes/networking.php
+++ b/includes/networking.php
@@ -44,7 +44,9 @@ function DisplayNetworkingConfig()
                            echo '<div class="col-md-6">
                            <div class="panel panel-default">
                                <div class="panel-heading">'.htmlspecialchars($interface, ENT_QUOTES).'</div>
-                                <div class="panel-body" id="'.htmlspecialchars($interface, ENT_QUOTES).'-summary"></div>
+                                <div class="panel-body">
+                                  <pre class="unstyled" id="'.htmlspecialchars($interface, ENT_QUOTES).'-summary"></pre>
+                                </div>
                            </div>
                            </div>';
                        }