From 3db99c7d2130364ea83f7c7cc807118e85a18e18 Mon Sep 17 00:00:00 2001 From: glaszig Date: Tue, 30 Jul 2019 14:10:42 +0200 Subject: [PATCH] * escape html entities in network interface settings the command `ip address show eth0` returns special characters like "<" and ">" which, if left unescaped and shown on the page, will create arbitrary html elements and hide information. * show interface settings inside unstyled pre block interface properties should be parsed and displayed in a proprietary and pretty manner. until then, give use the raw output of `ip address show` --- ajax/networking/get_ip_summary.php | 1 + includes/networking.php | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/ajax/networking/get_ip_summary.php b/ajax/networking/get_ip_summary.php index cd42f575..810c6265 100644 --- a/ajax/networking/get_ip_summary.php +++ b/ajax/networking/get_ip_summary.php @@ -5,6 +5,7 @@ include_once('../../includes/functions.php'); if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) { $int = preg_replace('/[^a-z0-9]/','',$_POST['interface']); exec('ip a s '.$int,$intOutput,$intResult); + $intOutput = array_map('htmlentities', $intOutput); $jsonData = ['return'=>$intResult,'output'=>$intOutput]; echo json_encode($jsonData); } else { diff --git a/includes/networking.php b/includes/networking.php index 364e3e35..9b728d06 100755 --- a/includes/networking.php +++ b/includes/networking.php @@ -44,7 +44,9 @@ function DisplayNetworkingConfig() echo '
'.htmlspecialchars($interface, ENT_QUOTES).'
-
+
+

+                                
'; }