Resolve issues with XSS issues in color_template

Cacti · Jan 2, 2022 · 657abc6 · 657abc6
1 parent dd8ce81
commit 657abc6
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG b/CHANGELOG
@@ -2,6 +2,7 @@ Cacti CHANGELOG
 
 1.2.20
 -security:   Resolve issues with SQL injections in user_admin and user_group_admin.  Thanks @enesdex 
+-security:   Resolve issues with XSS issues in color_template.  Thanks @M0rphling
 -issue#3816: Installation can sometimes appear stuck during replication or table conversion
 -issue#4363: Duplicate entries in graph_templates_item - mabye an aftermath of the template edit bug
 -issue#4435: Unable to Save Graph Settings from the Graphs pages

diff --git a/color_templates.php b/color_templates.php
@@ -148,7 +148,7 @@ function aggregate_color_form_save() {
 			$save1['color_template_id'] = 0;
 		}
 
-		$save1['name'] = form_input_validate(get_nfilter_request_var('name'), 'name', '', false, 3);
+		$save1['name'] = form_input_validate(get_filter_request_var('name', FILTER_SANITIZE_SPECIAL_CHARS | FILTER_FLAG_STRIP_LOW), 'name', '', false, 3);
 
 		cacti_log('Saved ID: ' . $save1['color_template_id'] . ' Name: ' . $save1['name'], false, 'AGGREGATE', POLLER_VERBOSITY_DEBUG);