From 43cb72549d90e338f902b359a83c23d3cb5a2645 Mon Sep 17 00:00:00 2001 From: Tony Murray Date: Mon, 17 Oct 2022 02:04:22 -0500 Subject: [PATCH] Fix billing xss (#14465) bill_name and bill_notes fields allow html injection --- includes/html/pages/bill.inc.php | 2 +- includes/html/pages/bill/addoreditbill.inc.php | 8 ++++---- includes/html/table/bills.inc.php | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/includes/html/pages/bill.inc.php b/includes/html/pages/bill.inc.php index b1682490682b..1505dd28aaed 100644 --- a/includes/html/pages/bill.inc.php +++ b/includes/html/pages/bill.inc.php @@ -87,7 +87,7 @@ function print_port_list($ports) echo ''; }//end print_port_list?> -

+

Bill:

- +
@@ -91,19 +91,19 @@
- +
- +
- +
diff --git a/includes/html/table/bills.inc.php b/includes/html/table/bills.inc.php index da0bcbd88410..be5aecffe473 100644 --- a/includes/html/table/bills.inc.php +++ b/includes/html/table/bills.inc.php @@ -94,7 +94,7 @@ $rate_average = $bill['rate_average']; $url = \LibreNMS\Util\Url::generate(['page' => 'bill', 'bill_id' => $bill['bill_id']]); $used95th = Number::formatSi($bill['rate_95th'], 2, 3, '') . 'bps'; - $notes = $bill['bill_notes']; + $notes = htmlentities($bill['bill_notes']); if ($prev) { $percent = $bill['bill_percent']; @@ -142,7 +142,7 @@ $left_background = $background['left']; $overuse_formatted = (($overuse <= 0) ? '-' : "$overuse_formatted"); - $bill_name = "${bill['bill_name']}
" . + $bill_name = "" . htmlentities($bill['bill_name']) . '
' . date('Y-m-d', strtotime($datefrom)) . ' to ' . date('Y-m-d', strtotime($dateto)); $bar = print_percentage_bar(250, 20, $percent, null, 'ffffff', $background['left'], $percent . '%', 'ffffff', $background['right']); $actions = '';