XSS fixes (#13780)

librenms · Feb 13, 2022 · 4c9d4ee · 4c9d4ee
1 parent 41ddce6
commit 4c9d4ee
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/includes/html/forms/add-dashboard.inc.php b/includes/html/forms/add-dashboard.inc.php
@@ -34,7 +34,7 @@
 $status = 'error';
 $message = 'unknown error';
 
-$dashboard_name = trim($_REQUEST['dashboard_name']);
+$dashboard_name = trim(strip_tags($_REQUEST['dashboard_name']));
 
 if (! empty($dashboard_name) && ($dash_id = dbInsert(['dashboard_name' => $dashboard_name, 'user_id' => Auth::id()], 'dashboards'))) {
     $status = 'ok';

diff --git a/includes/html/forms/customoid.inc.php b/includes/html/forms/customoid.inc.php
@@ -17,9 +17,9 @@
 $device_id = $_POST['device_id'];
 $id = $_POST['ccustomoid_id'];
 $action = $_POST['action'];
-$name = $_POST['name'];
-$oid = $_POST['oid'];
-$datatype = $_POST['datatype'];
+$name = strip_tags($_POST['name']);
+$oid = strip_tags($_POST['oid']);
+$datatype = strip_tags($_POST['datatype']);
 if (empty(($_POST['unit']))) {
     $unit = ['NULL'];
 } else {

diff --git a/includes/html/forms/transport-groups.inc.php b/includes/html/forms/transport-groups.inc.php
@@ -35,7 +35,7 @@
 $message = '';
 
 $group_id = $vars['group_id'];
-$name = $vars['name'];
+$name = strip_tags($vars['name']);
 
 $target_members = [];
 foreach ((array) $vars['members'] as $target) {