From 8eeb85f5d5b4ac524ebb7ffbbf3360976e922af4 Mon Sep 17 00:00:00 2001
From: Aroldo de Mattos Bossoni <github@bossone.com.br>
Date: Fri, 6 Mar 2026 15:42:31 -0300
Subject: [PATCH] fix(ncp-web): prevent XSS via log output and undefined array
 key warning

This commit addresses two issues in the NextCloudPi web panel:

1. HTML injection via ncp.log content (XSS vulnerability)
   - When /var/log/ncp.log contains HTML-like content (e.g., <strftime_format>
     from certain backup operations), the unescaped output breaks the HTML parser
   - This causes the browser to ignore subsequent <script> tags, preventing
     minified.js and ncp.js from loading
   - Result: the dashboard never loads and shows infinite "System Info" spinner
   - Fix: wrap file_get_contents() with htmlspecialchars() in index.php line 290

2. PHP warning for undefined HTTP_ACCEPT_LANGUAGE
   - When requests lack Accept-Language header (e.g., API calls, curl),
     PHP emits "Undefined array key" warning
   - This warning can corrupt JSON responses from ncp-launcher.php
   - Fix: use null coalescing operator (?? '') in both index.php and
     ncp-launcher.php

Tested on NextCloudPi running in LXC container on Proxmox.

Made-with: Cursor
---
 ncp-web/index.php        | 4 ++--
 ncp-web/ncp-launcher.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ncp-web/index.php b/ncp-web/index.php
index 6f2001b6d..675b01dac 100644
--- a/ncp-web/index.php
+++ b/ncp-web/index.php
@@ -65,7 +65,7 @@
 <?php
   require("L10N.php");
   try {
-    $l = new L10N($_SERVER["HTTP_ACCEPT_LANGUAGE"], $l10nDir, $modules_path);
+    $l = new L10N(($_SERVER["HTTP_ACCEPT_LANGUAGE"] ?? ''), $l10nDir, $modules_path);
   } catch (Exception $e) {
     die("<p class='error'>Error while loading localizations!</p>");
   }
@@ -287,7 +287,7 @@
         <div id="logs-wrapper" class="content-box <?php if(!array_key_exists('app',$_GET) || (array_key_exists('app',$_GET) && $_GET['app'] != 'logs')) echo 'hidden';?>">
           <h2 class="text-title"><?php echo $l->__("NextcloudPi logs"); ?></h2>
           <div id="logs-content" class="table-wrapper">
-            <div id="logs-details-box" class="outputbox"><?php echo str_replace(array("\r\n", "\n", "\r"), '<br/>', file_get_contents('/var/log/ncp.log')) ?></div>
+            <div id="logs-details-box" class="outputbox"><?php echo str_replace(array("\r\n", "\n", "\r"), '<br/>', htmlspecialchars(file_get_contents('/var/log/ncp.log'), ENT_QUOTES, 'UTF-8')) ?></div>
             <div id="log-download-btn-wrapper"><input id="log-download-btn" type="button" value="Download"/></div>
           </div>
   </div>
diff --git a/ncp-web/ncp-launcher.php b/ncp-web/ncp-launcher.php
index 6a115045d..df0eede11 100644
--- a/ncp-web/ncp-launcher.php
+++ b/ncp-web/ncp-launcher.php
@@ -21,7 +21,7 @@
 //
 require("L10N.php");
 try {
-  $l = new L10N($_SERVER["HTTP_ACCEPT_LANGUAGE"], $l10nDir, $cfg_dir);
+  $l = new L10N(($_SERVER["HTTP_ACCEPT_LANGUAGE"] ?? ''), $l10nDir, $cfg_dir);
 } catch (Exception $e) {
   die(json_encode("<p class='error'>Error while loading localizations!</p>"));
 }