Lack of escaping on some pages can lead to XSS exposure

[ddb4github]

Describe the bug

Several XSS Vulnerabilities during XSS testing

To Reproduce

Case#1

1. Go to 'Reporting(reports_admin.php)'
2. Create/Modify a report
3. Add a 'Text' item with Fixed Text <script>alert('test CVE');</script>
4. Click save, and then return to Item list
5. See error, popup alert('test CVE') as below
   
6. Click 'Preview' tab
7. See error again.

Case#2

1. Go to 'Console -> Data Collection -> Data Queries'
2. Select a data query, and click name to edit it
3. Click name of one of Associated Graph Templates
4. Modify name to <script>alert('test CVE');</script>
5. Click Save button, then click Return button
6. Click x icon of row right for the modified one
7. See error, popup alert('test CVE') as below
   

Case#3

data_input.php, delete,click a output/input field with <script>alert('test CVE');</script>

Case#4

graph_templates.php add graph items with a color named <script>alert('test CVE');</script>

Case#5

1. Go to 'Console -> Management`
2. Add a XSS Site with name <script>alert('SiteCore');</script>
3. Add a XSS Device with name: <script>alert('hostname');</script>, description: <script>alert('hostdesc');</script>
4. Access any 'Console -> Management -> Trees`
5. Click any one of tree name
6. See error, popup twice alert('SiteCore'), alert('hostdesc'), alert('hostname').

Case#6

1. Go to 'Console -> Management -> Trees`
2. Crate a tree with name <script>alert('tree');</script>
3. Access 'Console -> Management -> Graphs`
4. Select any one of graph
5. Select Action Place on a Tree <script>alert('tree');</script>
6. Click Go
7. See error, popup alert('tree')

Case#7

1. Edit a graph template, fill name with <script>alert('gtemplatename');</script>
2. Edit or create a report with name <script>alert('rptname');</script>
3. Access Graphs --> List/Tree/Preview mode
4. See error, tree/preview will popup alert('gtemplatename') only. And list mode will popup a extra alert('rptname')

Case#8

1. Edit or create a graph template, fill name with <script>alert('gtemplatename');</script>
2. Associate above graph template to a device
3. Edit above device
4. Click hyperlink Create Graphs for this Device
5. Select above graph template in list
6. Click "Create" button
7. See error

Desktop (please complete the following information)

• OS: Windows 10
• Browser: Firefox
• Version: 68.8 ESR

[TheWitness]

Jing, can you request a CVE#?

[TheWitness]

Case #2 is not repeatable in 1.2.12.

[TheWitness]

Okay, was able to verify issue #2, but issue #5 and #6 you need to provide additional details.

[ddb4github]

Okay, was able to verify issue #2, but issue #5 and #6 you need to provide additional details.

Updated Case#5 and Case#6 for detail steps

[ddb4github]

Jing, can you request a CVE#?

Just request, to be reviewed

[netniV]

Thanks @ddb4github! When I first started seeing these CVE's, it was upsetting as no one likes holes in their code, but at the same time we are very grateful that people are using the product and testing it thoroughly to help find these things 👍

Keep up the good work

[TheWitness]

Okay, all resolved. Thanks Jing.