fix: sanitize extdisplay parameter to prevent XSS

found an xss vulnerability in the web interface that could allow attackers to execute arbitrary javascript in admin sessions.

## affected files

- views/devices.php (line 2)
- views/users.php (line 2) 
- views/extensions.php (line 2)

## vulnerability

the `extdisplay` request parameter is output directly into html attributes without sanitization:

```php
data-fpbx-delete="config.php?display=devices&extdisplay=<?php echo $_REQUEST['extdisplay'] ?>&action=del"
```

## exploit

visiting a url like:
```
config.php?display=devices&extdisplay=" onload="alert(document.cookie)
```

would execute javascript in the context of the admin session, potentially allowing session hijacking or unauthorized actions.

## fix

sanitize the parameter with `htmlspecialchars()`:
```php
<?php echo htmlspecialchars($_REQUEST['extdisplay'], ENT_QUOTES, 'UTF-8') ?>
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: sanitize extdisplay parameter to prevent XSS #176

affected files

vulnerability

exploit

fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

fix: sanitize extdisplay parameter to prevent XSS #176

Description

affected files

vulnerability

exploit

fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions