CA/Cert descr validation fixes. Fixes #13387

Validate description on save when editing and in other situations that
were not yet covered.

While here, ensure that errors when editing a cert leave the user on the
cert edit screen properly, but successful cases return to the cert list.

Also encode some output just in case a bad value was already present
before the validation was fixed.

src/usr/local/www/system_camanager.php

@@ -153,6 +153,10 @@
 			$reqdfieldsn = array(
 				gettext("Descriptive name"),
 				gettext("Certificate data"));
+			/* Make sure we do not have invalid characters in the fields for the certificate */
+			if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) {
+				array_push($input_errors, gettext("The field 'Descriptive Name' contains invalid characters."));
+			}
 			if ($_POST['cert'] && (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE"))) {
 				$input_errors[] = gettext("This certificate does not appear to be valid.");
 			}
@@ -439,7 +443,7 @@
 
 	$issuer_ca = lookup_ca($ca['caref']);
 	if ($issuer_ca) {
-		$issuer_name = $issuer_ca['descr'];
+		$issuer_name = htmlspecialchars($issuer_ca['descr']);
 	}
 
 	foreach ($a_cert as $cert) {

src/usr/local/www/system_certmanager.php

@@ -246,6 +246,10 @@
 			break;
 		case 'edit':
 		case 'import':
+			/* Make sure we do not have invalid characters in the fields for the certificate */
+			if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) {
+				$input_errors[] = gettext("The field 'Descriptive Name' contains invalid characters.");
+			}
 			$pkcs12_data = '';
 			if ($_POST['import_type'] == 'x509') {
 				$reqdfields = explode(" ",
@@ -448,7 +452,7 @@
 				$ucert = lookup_cert($pconfig['certref']);
 				if ($ucert && $a_user) {
 					$a_user[$userid]['cert'][] = $ucert['refid'];
-					$savemsg = sprintf(gettext("Added certificate %s to user %s"), $ucert['descr'], $a_user[$userid]['name']);
+					$savemsg = sprintf(gettext("Added certificate %s to user %s"), htmlspecialchars($ucert['descr']), $a_user[$userid]['name']);
 				}
 				unset($cert);
 				break;
@@ -484,13 +488,15 @@
 					}
 					// Add it to the config file
 					$config['cert'][] = $newcert;
-					$savemsg = sprintf(gettext("Signed certificate %s"), $newcert['descr']);
+					$savemsg = sprintf(gettext("Signed certificate %s"), htmlspecialchars($newcert['descr']));
+					unset($act);
 				}
 				unset($cert);
 				break;
 			case 'edit':
 				cert_import($cert, $pconfig['cert'], $pconfig['key']);
-				$savemsg = sprintf(gettext("Edited certificate %s"), $cert['descr']);
+				$savemsg = sprintf(gettext("Edited certificate %s"), htmlspecialchars($cert['descr']));
+				unset($act);
 				break;
 			case 'import':
 				/* Import an external certificate+key */
@@ -510,7 +516,8 @@
 					}
 				}
 				cert_import($cert, $pconfig['cert'], $pconfig['key']);
-				$savemsg = sprintf(gettext("Imported certificate %s"), $cert['descr']);
+				$savemsg = sprintf(gettext("Imported certificate %s"), htmlspecialchars($cert['descr']));
+				unset($act);
 				break;
 			case 'internal':
 				/* Create an internal certificate */
@@ -554,7 +561,8 @@
 						}
 					}
 				}
-				$savemsg = sprintf(gettext("Created internal certificate %s"), $cert['descr']);
+				$savemsg = sprintf(gettext("Created internal certificate %s"), htmlspecialchars($cert['descr']));
+				unset($act);
 				break;
 			case 'external':
 				/* Create a certificate signing request */
@@ -598,7 +606,8 @@
 						}
 					}
 				}
-				$savemsg = sprintf(gettext("Created certificate signing request %s"), $cert['descr']);
+				$savemsg = sprintf(gettext("Created certificate signing request %s"), htmlspecialchars($cert['descr']));
+				unset($act);
 				break;
 			default:
 				break;
@@ -656,7 +665,7 @@
 		$cert['descr'] = $pconfig['descr'];
 		csr_complete($cert, $pconfig['cert']);
 		$thiscert = $cert;
-		$savemsg = sprintf(gettext("Updated certificate signing request %s"), $pconfig['descr']);
+		$savemsg = sprintf(gettext("Updated certificate signing request %s"), htmlspecialchars($pconfig['descr']));
 		write_config($savemsg);
 		pfSenseHeader("system_certmanager.php");
 	}
@@ -708,6 +717,15 @@
 		));
 	}
 
+	if ($act) {
+		$form->addGlobal(new Form_Input(
+			'act',
+			null,
+			'hidden',
+			$act
+		));
+	}
+
 	switch ($act) {
 		case 'edit':
 			$maintitle = gettext('Edit an Existing Certificate');
@@ -1402,7 +1420,7 @@ function list_csrs() {
 
 	$ca = lookup_ca($cert['caref']);
 	if ($ca) {
-		$caname = $ca['descr'];
+		$caname = htmlspecialchars($ca['descr']);
 	}
 ?>
 				<tr>