From 866b4323a468ef4635ebce998d4da36fe4e1387e Mon Sep 17 00:00:00 2001 From: TheWitness Date: Sun, 7 Apr 2024 10:33:43 -0400 Subject: [PATCH] Fixing XSS Issue with Form Validation As reported in GHSA-5p79-q5q3-84vw --- lib/html_validate.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/html_validate.php b/lib/html_validate.php index 38593f0ae2..9f861888d2 100644 --- a/lib/html_validate.php +++ b/lib/html_validate.php @@ -47,13 +47,15 @@ function html_log_input_error($variable) { function die_html_input_error($variable = null, $value = null, $message = '') { $func = CACTI_CLI ? 'trim' : 'html_escape'; + $variable = ($variable !== null ? ', Variable:' . $func($variable) : ''); + $value = ($value !== null ? ', Value:' . $func($value) : ''); + if ($message == '') { $message = __esc('Validation error for variable %s with a value of %s. See backtrace below for more details.', $variable, $value); + } elseif (!CACTI_CLI) { + $message = html_escape($message); } - $variable = ($variable !== null ? ', Variable:' . $func($variable) : ''); - $value = ($value !== null ? ', Value:' . $func($value) : ''); - $isWeb = CACTI_WEB || isset_request_var('json'); cacti_debug_backtrace('Validation Error' . $variable . $value, $isWeb);