Fixing XSS Issue with Form Validation

As reported in GHSA-5p79-q5q3-84vw
Cacti · Apr 7, 2024 · 866b432 · 866b432
1 parent eff35b0
commit 866b432
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/lib/html_validate.php b/lib/html_validate.php
@@ -47,13 +47,15 @@ function html_log_input_error($variable) {
 function die_html_input_error($variable = null, $value = null, $message = '') {
 	$func = CACTI_CLI ? 'trim' : 'html_escape';
 
+	$variable = ($variable !== null ? ', Variable:' . $func($variable) : '');
+	$value    = ($value !== null ? ', Value:'    . $func($value)    : '');
+
 	if ($message == '') {
 		$message = __esc('Validation error for variable %s with a value of %s.  See backtrace below for more details.', $variable, $value);
+	} elseif (!CACTI_CLI) {
+		$message = html_escape($message);
 	}
 
-	$variable = ($variable !== null ? ', Variable:' . $func($variable) : '');
-	$value    = ($value !== null ? ', Value:'    . $func($value)    : '');
-
 	$isWeb = CACTI_WEB || isset_request_var('json');
 	cacti_debug_backtrace('Validation Error' . $variable . $value, $isWeb);