Merge pull request #1665 from pi-hole/fix/escape-all-the-things

Prevent malformed DNS queries executing JS on querylog/long term query pages

api_FTL.php

@@ -323,7 +323,7 @@
 		{
 			$tmp = explode(" ",$line);
 			// UTF-8 encode domain
-			$tmp[2] = utf8_encode($tmp[2]);
+			$tmp[2] = utf8_encode(str_replace("~"," ",$tmp[2]));
 			// UTF-8 encode client host name
 			$tmp[3] = utf8_encode($tmp[3]);
 			array_push($allQueries,$tmp);

api_db.php

@@ -154,7 +154,7 @@ function resolveHostname($clientip, $printIP)
 						break;
 				}
 				// array:        time     type         domain                client           status   upstream destination
-				$allQueries[] = [$row[0], $query_type, utf8_encode($row[2]), utf8_encode($c), $row[4], utf8_encode($row[5])];
+				$allQueries[] = [$row[0], $query_type, utf8_encode(str_replace("~"," ",$row[2])), utf8_encode($c), $row[4], utf8_encode($row[5])];
 			}
 	}
 	$result = array('data' => $allQueries);

scripts/pi-hole/js/db_queries.js

@@ -324,8 +324,8 @@ $(function () {
         }
       },
       { width: "10%" },
-      { width: "40%" },
-      { width: "20%", type: "ip-address" },
+      { width: "40%", render: $.fn.dataTable.render.text() },
+      { width: "20%", type: "ip-address", render: $.fn.dataTable.render.text() },
       { width: "10%" },
       { width: "5%" }
     ],

scripts/pi-hole/js/queries.js

@@ -201,7 +201,7 @@ $(function () {
           buttontext = "";
       }
 
-      fieldtext += '<input type="hidden" name="id" value="' + data[4] + '">';
+      fieldtext += '<input type="hidden" name="id" value="' + parseInt(data[4], 10) + '">';
 
       if (colorClass !== false) {
         $(row).addClass(colorClass);