Further fixes for grave character security protection

[ddb4github]

Describe the bug

• cacti/data_templates.php:
  Name column does not escape grave(`) char.
  Example:

  Cacti Stats - Export Duration	onmouseover=`alert(188)`
  

  Ref: https://davidmurdoch.com/2017/09/02/the-grave-accent-and-xss/
• graph_templates.php?action=template_edit&id=123
  Graph Item Inputs-->Name column, cruly braces(})
  Example:

  a onmouseover=55+{toString:alert}//
  

To Reproduce

Hardly reproduce under Firefox/Chrome

[netniV]

Does this affect any other areas?

[ddb4github]

• data_templates.php issue is about function filter_value
• graph_templates.php issue is about function html_escape
• current filter_value does not use html_escape

[TheWitness]

@ddb4github, didn't I propose and didn't we implement a str_replace() on the graves character?

[TheWitness]

This is already in the 1.2.x branch. Is it nor right?

[netniV]

If you look more closely though, I think he's saying that the filter_value calls we have don't use html_escape so if any of the filter_values are reused in display, they would allow XSS.

[netniV]

I was unable to reproduce this myself, so I have basically applied the same code in filter_value as was present in html_escape. This will make the filters align better as well so it should be a win win scenario.

[TheWitness]

That's cause we fixed it already ;)

[TheWitness]

Here is the commit that fixed the graves issue.

8b42b65

Going to close this as duplicate.

[netniV]

This isn't a duplicate. It's applying the fix to the filter_value() function.

[TheWitness]

Yea, I noted that.

[netniV]

Confused as you said it was a duplicate.