Skip to content

Commit

Permalink
make use of utils.escapeHtml on the JS side of things, and html_entit…
Browse files Browse the repository at this point in the history
…y_decode/htmlentities in PHP

Signed-off-by: Adam Warner <[email protected]>
  • Loading branch information
PromoFaux committed Jun 13, 2020
1 parent 557bd85 commit c949516
Show file tree
Hide file tree
Showing 11 changed files with 67 additions and 58 deletions.
1 change: 1 addition & 0 deletions dns_records.php
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
</div>
</div>

<script src="scripts/pi-hole/js/utils.js"></script>
<script src="scripts/pi-hole/js/ip-address-sorting.js"></script>
<script src="scripts/pi-hole/js/customdns.js"></script>

Expand Down
6 changes: 4 additions & 2 deletions scripts/pi-hole/js/customdns.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
* This file is copyright under the latest version of the EUPL.
* Please see LICENSE file for your rights under this license. */

/* global utils:false */

var table;
var token = $("#token").text();

Expand Down Expand Up @@ -76,8 +78,8 @@ $(function () {
});

function addCustomDNS() {
var ip = $("#ip").val();
var domain = $("#domain").val();
var ip = utils.escapeHtml($("#ip").val());
var domain = utils.escapeHtml($("#domain").val());

showAlert("info");
$.ajax({
Expand Down
10 changes: 5 additions & 5 deletions scripts/pi-hole/js/groups-adlists.js
Original file line number Diff line number Diff line change
Expand Up @@ -212,8 +212,8 @@ function initTable() {
}

function addAdlist() {
var address = $("#new_address").val();
var comment = $("#new_comment").val();
var address = utils.escapeHtml($("#new_address").val());
var comment = utils.escapeHtml($("#new_comment").val());

utils.disableAll();
utils.showAlert("info", "", "Adding adlist...", address);
Expand Down Expand Up @@ -258,9 +258,9 @@ function editAdlist() {
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var status = tr.find("#status_" + id).is(":checked") ? 1 : 0;
var comment = tr.find("#comment_" + id).val();
var comment = utils.escapeHtml(tr.find("#comment_" + id).val());
var groups = tr.find("#multiselect_" + id).val();
var address = tr.find("#address_" + id).text();
var address = utils.escapeHtml(tr.find("#address_" + id).text());

var done = "edited";
var notDone = "editing";
Expand Down Expand Up @@ -338,7 +338,7 @@ function editAdlist() {
function deleteAdlist() {
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var address = tr.find("#address_" + id).text();
var address = utils.escapeHtml(tr.find("#address_" + id).text());

utils.disableAll();
utils.showAlert("info", "", "Deleting adlist...", address);
Expand Down
12 changes: 6 additions & 6 deletions scripts/pi-hole/js/groups-clients.js
Original file line number Diff line number Diff line change
Expand Up @@ -246,9 +246,9 @@ function initTable() {

function addClient() {
var ip = $("#select").val();
var comment = $("#new_comment").val();
var comment = utils.escapeHtml($("#new_comment").val());
if (ip === "custom") {
ip = $("#ip-custom").val().trim();
ip = utils.escapeHtml($("#ip-custom").val().trim());
}

utils.disableAll();
Expand Down Expand Up @@ -303,9 +303,9 @@ function editClient() {
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var groups = tr.find("#multiselect_" + id).val();
var ip = tr.find("#ip_" + id).text();
var name = tr.find("#name_" + id).text();
var comment = tr.find("#comment_" + id).val();
var ip = utils.escapeHtml(tr.find("#ip_" + id).text());
var name = utils.escapeHtml(tr.find("#name_" + id).text());
var comment = utils.escapeHtml(tr.find("#comment_" + id).val());

var done = "edited";
var notDone = "editing";
Expand Down Expand Up @@ -370,7 +370,7 @@ function deleteClient() {
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var ip = tr.find("#ip_" + id).text();
var name = tr.find("#name_" + id).text();
var name = utils.escapeHtml(tr.find("#name_" + id).text());

if (name.length > 0) {
ip += " (" + name + ")";
Expand Down
10 changes: 5 additions & 5 deletions scripts/pi-hole/js/groups-domains.js
Original file line number Diff line number Diff line change
Expand Up @@ -318,8 +318,8 @@ function addDomain() {
commentEl = $("#new_regex_comment");
}

var domain = domainEl.val();
var comment = commentEl.val();
var domain = utils.escapeHtml(domainEl.val());
var comment = utils.escapeHtml(commentEl.val());

utils.disableAll();
utils.showAlert("info", "", "Adding " + domainRegex + "...", domain);
Expand Down Expand Up @@ -385,10 +385,10 @@ function editDomain() {
var elem = $(this).attr("id");
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var domain = tr.find("#domain_" + id).text();
var domain = utils.escapeHtml(tr.find("#domain_" + id).text());
var type = tr.find("#type_" + id).val();
var status = tr.find("#status_" + id).is(":checked") ? 1 : 0;
var comment = tr.find("#comment_" + id).val();
var comment = utils.escapeHtml(tr.find("#comment_" + id).val());

// Show group assignment field only if in full domain management mode
// if not included, just use the row data.
Expand Down Expand Up @@ -485,7 +485,7 @@ function editDomain() {
function deleteDomain() {
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var domain = tr.find("#domain_" + id).text();
var domain = utils.escapeHtml(tr.find("#domain_" + id).text());
var type = tr.find("#type_" + id).val();

var domainRegex;
Expand Down
10 changes: 5 additions & 5 deletions scripts/pi-hole/js/groups.js
Original file line number Diff line number Diff line change
Expand Up @@ -127,8 +127,8 @@ $(function () {
});

function addGroup() {
var name = $("#new_name").val();
var desc = $("#new_desc").val();
var name = utils.escapeHtml($("#new_name").val());
var desc = utils.escapeHtml($("#new_desc").val());

utils.disableAll();
utils.showAlert("info", "", "Adding group...", name);
Expand Down Expand Up @@ -166,9 +166,9 @@ function editGroup() {
var elem = $(this).attr("id");
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var name = tr.find("#name_" + id).val();
var name = utils.escapeHtml(tr.find("#name_" + id).val());
var status = tr.find("#status_" + id).is(":checked") ? 1 : 0;
var desc = tr.find("#desc_" + id).val();
var desc = utils.escapeHtml(tr.find("#desc_" + id).val());

var done = "edited";
var notDone = "editing";
Expand Down Expand Up @@ -239,7 +239,7 @@ function editGroup() {
function deleteGroup() {
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var name = tr.find("#name_" + id).val();
var name = utils.escapeHtml(tr.find("#name_" + id).val());

utils.disableAll();
utils.showAlert("info", "", "Deleting group...", name);
Expand Down
4 changes: 2 additions & 2 deletions scripts/pi-hole/php/database.php
Original file line number Diff line number Diff line change
Expand Up @@ -161,9 +161,9 @@ function add_to_table($db, $table, $domains, $comment=null, $wildcardstyle=false
if($wildcardstyle)
$domain = "(\\.|^)".str_replace(".","\\.",$domain)."$";

$stmt->bindValue(":$field", $domain, SQLITE3_TEXT);
$stmt->bindValue(":$field", htmlentities($domain), SQLITE3_TEXT);
if($bindcomment) {
$stmt->bindValue(":comment", $comment, SQLITE3_TEXT);
$stmt->bindValue(":comment", htmlentities($comment), SQLITE3_TEXT);
}

if($stmt->execute() && $stmt->reset())
Expand Down
39 changes: 21 additions & 18 deletions scripts/pi-hole/php/func.php
Original file line number Diff line number Diff line change
Expand Up @@ -214,31 +214,34 @@ function deleteCustomDNSEntry()

function deleteAllCustomDNSEntries()
{
$handle = fopen($customDNSFile, "r");
if ($handle)
if (isset($customDNSFile))
{
try
$handle = fopen($customDNSFile, "r");
if ($handle)
{
while (($line = fgets($handle)) !== false) {
$line = str_replace("\r","", $line);
$line = str_replace("\n","", $line);
$explodedLine = explode (" ", $line);
try
{
while (($line = fgets($handle)) !== false) {
$line = str_replace("\r","", $line);
$line = str_replace("\n","", $line);
$explodedLine = explode (" ", $line);

if (count($explodedLine) != 2)
continue;
if (count($explodedLine) != 2)
continue;

$ip = $explodedLine[0];
$domain = $explodedLine[1];
$ip = $explodedLine[0];
$domain = $explodedLine[1];

pihole_execute("-a removecustomdns ".$ip." ".$domain);
pihole_execute("-a removecustomdns ".$ip." ".$domain);
}
}
catch (\Exception $ex)
{
return errorJsonResponse($ex->getMessage());
}
}
catch (\Exception $ex)
{
return errorJsonResponse($ex->getMessage());
}

fclose($handle);
fclose($handle);
}
}

return successJsonResponse();
Expand Down
25 changes: 14 additions & 11 deletions scripts/pi-hole/php/groups.php
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,8 @@ function JSON_error($message = null)
} elseif ($_POST['action'] == 'add_group') {
// Add new group
try {
$names = str_getcsv(trim($_POST['name']), ' ');
$input = html_entity_decode(trim($_POST['name']));
$names = str_getcsv($input, ' ');
$total = count($names);
$added = 0;
$stmt = $db->prepare('INSERT INTO "group" (name,description) VALUES (:name,:desc)');
Expand Down Expand Up @@ -96,6 +97,9 @@ function JSON_error($message = null)
} elseif ($_POST['action'] == 'edit_group') {
// Edit group identified by ID
try {
$name = html_entity_decode($_POST['name']);
$desc = html_entity_decode($_POST['desc']);

$stmt = $db->prepare('UPDATE "group" SET enabled=:enabled, name=:name, description=:desc WHERE id = :id');
if (!$stmt) {
throw new Exception('While preparing statement: ' . $db->lastErrorMsg());
Expand All @@ -106,11 +110,10 @@ function JSON_error($message = null)
throw new Exception('While binding enabled: ' . $db->lastErrorMsg());
}

if (!$stmt->bindValue(':name', $_POST['name'], SQLITE3_TEXT)) {
if (!$stmt->bindValue(':name', $name, SQLITE3_TEXT)) {
throw new Exception('While binding name: ' . $db->lastErrorMsg());
}

$desc = $_POST['desc'];
if (strlen($desc) === 0) {
// Store NULL in database for empty descriptions
$desc = null;
Expand Down Expand Up @@ -263,7 +266,7 @@ function JSON_error($message = null)
throw new Exception('While binding ip: ' . $db->lastErrorMsg());
}

$comment = $_POST['comment'];
$comment = html_entity_decode($_POST['comment']);
if (strlen($comment) === 0) {
// Store NULL in database for empty comments
$comment = null;
Expand Down Expand Up @@ -293,7 +296,7 @@ function JSON_error($message = null)
throw new Exception('While preparing statement: ' . $db->lastErrorMsg());
}

$comment = $_POST['comment'];
$comment = html_entity_decode($_POST['comment']);
if (strlen($comment) === 0) {
// Store NULL in database for empty comments
$comment = null;
Expand Down Expand Up @@ -453,7 +456,7 @@ function JSON_error($message = null)
} elseif ($_POST['action'] == 'add_domain') {
// Add new domain
try {
$domains = explode(' ', trim($_POST['domain']));
$domains = explode(' ', html_entity_decode(trim($_POST['domain'])));
$before = intval($db->querySingle("SELECT COUNT(*) FROM domainlist;"));
$total = count($domains);
$added = 0;
Expand All @@ -474,7 +477,7 @@ function JSON_error($message = null)
throw new Exception('While binding type: ' . $db->lastErrorMsg());
}

$comment = $_POST['comment'];
$comment = html_entity_decode($_POST['comment']);
if (strlen($comment) === 0) {
// Store NULL in database for empty comments
$comment = null;
Expand Down Expand Up @@ -573,7 +576,7 @@ function JSON_error($message = null)
throw new Exception('While binding enabled: ' . $db->lastErrorMsg());
}

$comment = $_POST['comment'];
$comment = html_entity_decode($_POST['comment']);
if (strlen($comment) === 0) {
// Store NULL in database for empty comments
$comment = null;
Expand Down Expand Up @@ -742,7 +745,7 @@ function JSON_error($message = null)
} elseif ($_POST['action'] == 'add_adlist') {
// Add new adlist
try {
$addresses = explode(' ', trim($_POST['address']));
$addresses = explode(' ', html_entity_decode(trim($_POST['address'])));
$total = count($addresses);
$added = 0;

Expand All @@ -751,7 +754,7 @@ function JSON_error($message = null)
throw new Exception('While preparing statement: ' . $db->lastErrorMsg());
}

$comment = $_POST['comment'];
$comment = html_entity_decode($_POST['comment']);
if (strlen($comment) === 0) {
// Store NULL in database for empty comments
$comment = null;
Expand Down Expand Up @@ -800,7 +803,7 @@ function JSON_error($message = null)
throw new Exception('While binding enabled: ' . $db->lastErrorMsg());
}

$comment = $_POST['comment'];
$comment = html_entity_decode($_POST['comment']);
if (strlen($comment) === 0) {
// Store NULL in database for empty comments
$comment = null;
Expand Down
4 changes: 2 additions & 2 deletions scripts/pi-hole/php/teleporter.php
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ function archive_restore_table($file, $table, $flush=false)
foreach($contents as $row)
{
// Limit max length for a domain entry to 253 chars
if(strlen($row[$field]) > 253)
if(isset($field) && strlen($row[$field]) > 253)
continue;

// Bind properties from JSON data
Expand All @@ -196,7 +196,7 @@ function archive_restore_table($file, $table, $flush=false)
default:
$sqltype = "UNK";
}
$stmt->bindValue(":".$key, $value, $sqltype);
$stmt->bindValue(":".$key, htmlentities($value), $sqltype);
}

if($stmt->execute() && $stmt->reset() && $stmt->clear())
Expand Down
4 changes: 2 additions & 2 deletions settings.php
Original file line number Diff line number Diff line change
Expand Up @@ -714,7 +714,7 @@ function convertseconds($argument)
title="Lease type: IPv<?php echo $lease["type"]; ?><br/>Remaining lease time: <?php echo $lease["TIME"]; ?><br/>DHCP UID: <?php echo $lease["clid"]; ?>">
<td id="MAC"><?php echo $lease["hwaddr"]; ?></td>
<td id="IP" data-order="<?php echo bin2hex(inet_pton($lease["IP"])); ?>"><?php echo $lease["IP"]; ?></td>
<td id="HOST"><?php echo $lease["host"]; ?></td>
<td id="HOST"><?php echo htmlentities($lease["host"]); ?></td>
<td>
<button type="button" id="button" class="btn btn-warning btn-xs" data-static="alert">
<span class="fas fas fa-file-import"></span>
Expand Down Expand Up @@ -742,7 +742,7 @@ function convertseconds($argument)
<tr>
<td><?php echo $lease["hwaddr"]; ?></td>
<td data-order="<?php echo bin2hex(inet_pton($lease["IP"])); ?>"><?php echo $lease["IP"]; ?></td>
<td><?php echo $lease["host"]; ?></td>
<td><?php echo htmlentities($lease["host"]); ?></td>
<td><?php if (strlen($lease["hwaddr"]) > 0) { ?>
<button type="submit" class="btn btn-danger btn-xs" name="removestatic"
value="<?php echo $lease["hwaddr"]; ?>">
Expand Down

0 comments on commit c949516

Please sign in to comment.