Browse Source

* escape html entities in network interface settings

the command `ip address show eth0` returns
special characters like "<" and ">" which, if left
unescaped and shown on the page, will create
arbitrary html elements and hide information.

* show interface settings inside unstyled pre block

interface properties should be parsed and displayed
in a proprietary and pretty manner. until then, give
use the raw output of `ip address show`
pull/355/head
glaszig 3 years ago
parent
commit
3db99c7d21
  1. 1
      ajax/networking/get_ip_summary.php
  2. 4
      includes/networking.php

1
ajax/networking/get_ip_summary.php

@ -5,6 +5,7 @@ include_once('../../includes/functions.php');
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
$int = preg_replace('/[^a-z0-9]/','',$_POST['interface']);
exec('ip a s '.$int,$intOutput,$intResult);
$intOutput = array_map('htmlentities', $intOutput);
$jsonData = ['return'=>$intResult,'output'=>$intOutput];
echo json_encode($jsonData);
} else {

4
includes/networking.php

@ -44,7 +44,9 @@ function DisplayNetworkingConfig()
echo '<div class="col-md-6">
<div class="panel panel-default">
<div class="panel-heading">'.htmlspecialchars($interface, ENT_QUOTES).'</div>
<div class="panel-body" id="'.htmlspecialchars($interface, ENT_QUOTES).'-summary"></div>
<div class="panel-body">
<pre class="unstyled" id="'.htmlspecialchars($interface, ENT_QUOTES).'-summary"></pre>
</div>
</div>
</div>';
}

Loading…
Cancel
Save