hardening: escape syslog output surfaces and harden host option rendering#264
Open
somethingwithproof wants to merge 2 commits intoCacti:developfrom
Open
hardening: escape syslog output surfaces and harden host option rendering#264somethingwithproof wants to merge 2 commits intoCacti:developfrom
somethingwithproof wants to merge 2 commits intoCacti:developfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens several unescaped UI output surfaces in the Syslog plugin for Cacti, closing XSS-equivalent risks where database values (hostnames, facility/priority names, filter patterns) were rendered into HTML without escaping.
Changes:
- Wrap database-sourced values (
host,facility,priority,program) withhtml_escape()in stats table cells and filter<option>elements insyslog.php - Escape confirmation dialog list items in
syslog_reports.phpandsyslog_removal.phpusinghtml_escape(), and switch the report message column fromform_selectable_celltoform_selectable_ecellfor automatic escaping - Replace jQuery HTML string concatenation with DOM-safe
$('<option>').val().text().addClass()construction injs/functions.jsto eliminate unescaped hostname injection via AJAX host autocomplete
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
syslog.php |
Adds html_escape() around four <td> stat cells and three <option> lists (host, facility, priority) |
syslog_reports.php |
Escapes confirmation list item; switches report message table cell to form_selectable_ecell |
syslog_removal.php |
Escapes confirmation list item |
js/functions.js |
Replaces unsafe HTML concatenation for AJAX-loaded <option> elements with jQuery DOM API methods |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
somethingwithproof
force-pushed
the
hardening/xss-output-escaping
branch
from
381cbb8 to
4dc6095
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR hardens unescaped syslog UI output paths and removes unsafe HTML string insertion for AJAX host options.
Changes
syslog.php)syslog.php)syslog_reports.php,syslog_removal.php)syslog_reports.php)js/functions.js)tests/regression/*.phpexistValidation
Fixes #252