Skip to content
Permalink
Browse files Browse the repository at this point in the history
Improper escaping of error message leads to XSS during template impor…
…t preview (#3723)

Closes #3723
  • Loading branch information
netniV committed Jul 26, 2020
1 parent 99d3bf8 commit 39458ef
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
Expand Up @@ -3,6 +3,7 @@ Cacti CHANGELOG
1.2.14
-issue#3695: Spikekill `percent` is converted from percent to decimal twice, making it 1/100 of the true size
-issue#3676: Device not showing up in device page but showing up in Monitor tab (continued)
-issue#3723: Improper escaping of error message leads to XSS during template import preview
-feature#3619: Spikekill percent does not go high enough
-feature#3615: Spikekill user options differ from Spikekill global options

Expand Down
4 changes: 2 additions & 2 deletions lib/import.php
Expand Up @@ -981,7 +981,7 @@ function xml_to_data_query($hash, &$xml_array, &$hash_cache) {
$path = str_replace('<path_cacti>', $config['base_path'], $save['xml_path']);

if (!file_exists($path) || !is_readable($path)) {
raise_message('resource_missing_' . $counter, __('Resource File: \'%s\' is missing or not readable. Make sure you install it before using Data Query: \'%s\'', $path, $save['name']), MESSAGE_LEVEL_ERROR);
raise_message('resource_missing_' . $counter, __esc('Resource File: \'%s\' is missing or not readable. Make sure you install it before using Data Query: \'%s\'', $path, $save['name']), MESSAGE_LEVEL_ERROR);
$counter++;
}
}
Expand Down Expand Up @@ -2090,7 +2090,7 @@ function import_display_results($import_debug_info, $filestatus, $web = false, $

print "<ul>";
foreach($filestatus as $filename => $status) {
print "<li>" . ($preview ? __("[preview] "):"") . $filename . " [" . $status . "]</li>\n";
print "<li>" . ($preview ? __("[preview] "):"") . html_escape($filename) . " [" . $status . "]</li>\n";
}
print "</ul>";
} else {
Expand Down

0 comments on commit 39458ef

Please sign in to comment.