hardening: escape device hostname output in syslog view; parameterize alert API functions

[somethingwithproof]

Reviewed syslog.php and syslog_alerts.php at commit c64bcca. Two hardening items worth addressing.

Unescaped device hostname in HTML output (syslog.php)

Three locations print the device hostname directly into HTML without html_escape():

// line 367 -- <td> cell
print '<td>' . (get_request_var('host') != '-2' ? $r['host']:'-') . '</td>';

// line 524 -- <option> element
print '>' . $host['host'] . '</option>';

// line 1352 -- <option> element (after syslog_strip_domain)
print $host['host'] . '</option>';

If a device hostname in the Cacti database contains HTML special characters, they render as markup for all users viewing the syslog page. The fix is straightforward -- wrap each with html_escape():

print '<td>' . html_escape($r['host']) . '</td>';
print '>' . html_escape($host['host']) . '</option>';

All exploitable paths require an authenticated Cacti session and a device hostname containing markup in the database.

---

Unparameterized alert API functions (syslog_alerts.php)

api_syslog_alert_remove(), api_syslog_alert_disable(), and api_syslog_alert_enable() (lines 327-339) concatenate $id directly into SQL without internal validation:

function api_syslog_alert_remove($id) {
    syslog_db_execute("DELETE FROM `...`.`syslog_alert` WHERE id='" . $id . "'");
}

Current call sites pass integers from sanitize_unserialize_selected_items(), so there is no active injection path. Adding intval($id) at the top of each function closes the risk for any future caller without changing behavior:

function api_syslog_alert_remove($id) {
    $id = intval($id);
    syslog_db_execute("DELETE FROM `...`.`syslog_alert` WHERE id='" . $id . "'");
}

Or switch to syslog_db_execute_prepared() if available.

---

Investigated and ruled out

• $hfilter in IN() clause (syslog.php): validated by FILTER_VALIDATE_IS_NUMERIC_LIST. Safe.
• rfilter SQL breakout: validate_is_regex() uses ' as the preg_match delimiter, blocking single-quote input. Not injectable.
• Retention DELETE and confirmation dialog fetch: not injectable in practice (date format / digits-only regex), but inconsistent with parameterized calls elsewhere.

[somethingwithproof]

Adding additional confirmed surfaces from current review (commit 26e9f76) so this tracks the full escaping scope:

1. Unescaped non-host fields in stats table
   • syslog.php:368-370 prints $r['facility'], $r['priority'], $r['program'] without escaping.
2. AJAX host option injection path
   • syslog.php:152-154 returns raw host in JSON;
   • js/functions.js:223 appends using HTML string concat (... + hostData.host + ...), enabling markup/script injection if host text is attacker-controlled.
3. Unescaped rule text in admin views
   • syslog_reports.php:160 and syslog_removal.php:172 build <li> with raw DB values;
   • syslog_reports.php:728 prints raw $report['message'] via form_selectable_cell.

Suggested fix: consistently use html_escape / form_selectable_ecell server-side and DOM-safe text insertion client-side ($('<option>').text(...)).