Merge pull request #391 from pi-hole/fix/xss-settings

Clean any inputs being added to $success or $error
pi-hole · Feb 9, 2017 · ee41dbd · ee41dbd
2 parents 2a179b7 + 3a3883a
commit ee41dbd
Showing 1 changed file with 15 additions and 15 deletions.
diff --git a/scripts/pi-hole/php/savesettings.php b/scripts/pi-hole/php/savesettings.php
@@ -123,7 +123,7 @@ function readStaticLeasesFile()
 						}
 						else
 						{
-							$error .= "IP (".$IP.") is invalid!<br>";
+							$error .= "IP (".htmlspecialchars($IP).") is invalid!<br>";
 						}
 					}
 				}
@@ -209,7 +209,7 @@ function readStaticLeasesFile()
 				{
 					if(!validDomain($domain))
 					{
-						$error .= "Top Domains/Ads entry ".$domain." is invalid!<br>";
+						$error .= "Top Domains/Ads entry ".htmlspecialchars($domain)." is invalid!<br>";
 					}
 					if(!$first)
 					{
@@ -228,7 +228,7 @@ function readStaticLeasesFile()
 				{
 					if(!validIP($client))
 					{
-						$error .= "Top Clients entry ".$client." is invalid (use only IP addresses)!<br>";
+						$error .= "Top Clients entry ".htmlspecialchars($client)." is invalid (use only IP addresses)!<br>";
 					}
 					if(!$first)
 					{
@@ -370,18 +370,18 @@ function readStaticLeasesFile()
 
 					if(!validMAC($mac))
 					{
-						$error .= "MAC address (".htmlentities($mac).") is invalid!<br>";
+						$error .= "MAC address (".htmlspecialchars($mac).") is invalid!<br>";
 					}
 					$mac = strtoupper($mac);
 
 					if(!validIP($ip) && strlen($ip) > 0)
 					{
-						$error .= "IP address (".htmlentities($ip).") is invalid!<br>";
+						$error .= "IP address (".htmlspecialchars($ip).") is invalid!<br>";
 					}
 
 					if(!validDomain($hostname) && strlen($hostname) > 0)
 					{
-						$error .= "Host name (".htmlentities($hostname).") is invalid!<br>";
+						$error .= "Host name (".htmlspecialchars($hostname).") is invalid!<br>";
 					}
 
 					if(strlen($hostname) == 0 && strlen($ip) == 0)
@@ -400,7 +400,7 @@ function readStaticLeasesFile()
 					foreach($dhcp_static_leases as $lease) {
 						if($lease["hwaddr"] === $mac)
 						{
-							$error .= "Static release for MAC address (".htmlentities($mac).") already defined!<br>";
+							$error .= "Static release for MAC address (".htmlspecialchars($mac).") already defined!<br>";
 							break;
 						}
 					}
@@ -418,14 +418,14 @@ function readStaticLeasesFile()
 					$mac = $_POST["removestatic"];
 					if(!validMAC($mac))
 					{
-						$error .= "MAC address (".htmlentities($mac).") is invalid!<br>";
+						$error .= "MAC address (".htmlspecialchars($mac).") is invalid!<br>";
 					}
 					$mac = strtoupper($mac);
 
 					if(!strlen($error))
 					{
 						exec("sudo pihole -a removestaticdhcp ".$mac);
-						$success .= "The static address with MAC address ".htmlentities($mac)." has been removed";
+						$success .= "The static address with MAC address ".htmlspecialchars($mac)." has been removed";
 					}
 					break;
 				}
@@ -436,37 +436,37 @@ function readStaticLeasesFile()
 					$from = $_POST["from"];
 					if (!validIP($from))
 					{
-						$error .= "From IP (".$from.") is invalid!<br>";
+						$error .= "From IP (".htmlspecialchars($from).") is invalid!<br>";
 					}
 
 					// Validate to IP
 					$to = $_POST["to"];
 					if (!validIP($to))
 					{
-						$error .= "To IP (".$to.") is invalid!<br>";
+						$error .= "To IP (".htmlspecialchars($to).") is invalid!<br>";
 					}
 
 					// Validate router IP
 					$router = $_POST["router"];
 					if (!validIP($router))
 					{
-						$error .= "Router IP (".$router.") is invalid!<br>";
+						$error .= "Router IP (".htmlspecialchars($router).") is invalid!<br>";
 					}
 
 					$domain = $_POST["domain"];
 
 					// Validate Domain name
 					if(!validDomain($domain))
 					{
-						$error .= "Domain name ".$domain." is invalid!<br>";
+						$error .= "Domain name ".htmlspecialchars($domain)." is invalid!<br>";
 					}
 
 					$leasetime = $_POST["leasetime"];
 
 					// Validate Lease time length
 					if(!is_numeric($leasetime) || intval($leasetime) < 0)
 					{
-						$error .= "Lease time ".$leasetime." is invalid!<br>";
+						$error .= "Lease time ".htmlspecialchars($leasetime)." is invalid!<br>";
 					}
 
 					if(isset($_POST["useIPv6"]))
@@ -483,7 +483,7 @@ function readStaticLeasesFile()
 					if(!strlen($error))
 					{
 						exec("sudo pihole -a enabledhcp ".$from." ".$to." ".$router." ".$leasetime." ".$domain." ".$ipv6);
-						$success .= "The DHCP server has been activated ".$type;
+						$success .= "The DHCP server has been activated ".htmlspecialchars($type);
 					}
 				}
 				else