Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-mhr8-7rvg-8r43
* Prevent possible XSS attack vector on add_client
Update JS code to prevent possible XSS vector

Co-authored-by: Harold Kim <root@stypr.com>
Signed-off-by: Adam Warner <me@adamwarner.co.uk>

* Fix both addClient and deleteClient to prevent XSS

Signed-off-by: Harold Kim <root@stypr.com>

Co-authored-by: Harold Kim <root@stypr.com>
  • Loading branch information
PromoFaux and stypr committed Oct 23, 2021
1 parent e53f7e6 commit 01191c7
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
4 changes: 2 additions & 2 deletions scripts/pi-hole/js/groups-clients.js
Expand Up @@ -260,7 +260,7 @@ function initTable() {
}

function addClient() {
var ip = $("#select").val().trim();
var ip = utils.escapeHtml($("#select").val().trim());
var comment = utils.escapeHtml($("#new_comment").val());

utils.disableAll();
Expand Down Expand Up @@ -385,7 +385,7 @@ function editClient() {
function deleteClient() {
var tr = $(this).closest("tr");
var id = tr.attr("data-id");
var ip = tr.find("#ip_" + id).text();
var ip = utils.escapeHtml(tr.find("#ip_" + id).text());
var name = utils.escapeHtml(tr.find("#name_" + id).text());

if (name.length > 0) {
Expand Down
2 changes: 2 additions & 0 deletions scripts/pi-hole/php/groups.php
Expand Up @@ -347,6 +347,8 @@ function JSON_error($message = null)
}

foreach ($ips as $ip) {
// Encode $ip variable to prevent XSS
$ip = htmlspecialchars($ip);
// Silently skip this entry when it is empty or not a string (e.g. NULL)
if(!is_string($ip) || strlen($ip) == 0) {
continue;
Expand Down

0 comments on commit 01191c7

Please sign in to comment.