Skip to content

Commit

Permalink
Escape Raw HTML in Outputs
Browse files Browse the repository at this point in the history 
https://xmit.xyz/security/dmarcd-for-death/
  • Loading branch information
@NotsoanoNimus
NotsoanoNimus committed May 31, 2023
1 parent 5901db2 commit a5ead0b
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 4 deletions.
5 changes: 3 additions & 2 deletions dmarcts-report-viewer-report-data.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,9 @@ function tmpl_reportData($reportnumber, $reports, $host_lookup = 1) {

if (isset($reports[$reportnumber])) {
$row = $reports[$reportnumber];

$row['raw_xml'] = formatXML($row['raw_xml'], $reportnumber);
$row = array_map('html_escape', $row);

$reportdata[] = "<div id='report_desc_container' class='center reportdesc_container'>";
$reportdata[] = "<div id='report_desc' class='center reportdesc' class='hilighted' onmouseover='highlight(this);' onmouseout='unhighlight(this);' onclick='pin(this)'>Report from ".$row['org']." for ".$row['domain']."<br>". format_date($row['mindate'], $cookie_options['date_format']). " to ".format_date($row['maxdate'], $cookie_options['date_format'])."<br> Policies: adkim=" . $row['policy_adkim'] . ", aspf=" . $row['policy_aspf'] . ", p=" . $row['policy_p'] . ", sp=" . $row['policy_sp'] . ", pct=" . $row['policy_pct'] . "</div>";
Expand Down Expand Up @@ -151,7 +152,7 @@ function tmpl_reportData($reportnumber, $reports, $host_lookup = 1) {
$row = array_map('html_escape', $row);

$reportdata[] = " <tr id='line" . $row['id'] . "' class='" . get_dmarc_result($row)['color'] . "' title='DMARC Result: " . get_dmarc_result($row)['result'] . "' onmouseover='highlight(this);' onmouseout='unhighlight(this);' onclick='pin(this);'>";
$reportdata[] = " <td>". $ip. "</td>";
$reportdata[] = " <td>". htmlspecialchars($ip) . "</td>";
if ( $host_lookup ) {
$reportdata[] = " <td>". gethostbyaddr($ip). "</td>";
} else {
Expand Down
4 changes: 2 additions & 2 deletions dmarcts-report-viewer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ function html ($domains = array(), $orgs = array(), $periods = array() ) {
$html[] = "<option " . ( $cookie_options['Domain'] ? "" : "selected=\"selected\" " ) . "value=\"all\">[all]</option>";

foreach( $domains as $d) {
$html[] = "<option " . ( $cookie_options['Domain'] == $d ? "selected=\"selected\" " : "" ) . "value=\"$d\">$d</option>";
$html[] = "<option " . ( $cookie_options['Domain'] == $d ? "selected=\"selected\" " : "" ) . "value=\"".htmlspecialchars($d)."\">".htmlspecialchars($d)."</option>";
}

$html[] = "</select>";
Expand All @@ -164,7 +164,7 @@ function html ($domains = array(), $orgs = array(), $periods = array() ) {
$html[] = "<option " . ( $cookie_options['Organisation'] ? "" : "selected=\"selected\" " ) . "selected=\"selected\" value=\"all\">[all]</option>";

foreach( $orgs as $o) {
$html[] = "<option " . ( $cookie_options['Organisation'] == $o ? "selected=\"selected\" " : "" ) . "value=\"$o\">" . ( strlen( $o ) > 25 ? substr( $o, 0, 22) . "..." : $o ) . "</option>";
$html[] = "<option " . ( $cookie_options['Organisation'] == $o ? "selected=\"selected\" " : "" ) . "value=\"".htmlspecialchars($o)."\">" . ( strlen( $o ) > 25 ? htmlspecialchars(substr( $o, 0, 22)) . "..." : htmlspecialchars($o) ) . "</option>";
}

$html[] = "</select>";
Expand Down

0 comments on commit a5ead0b

Please sign in to comment.