mirror of
https://github.com/pi-hole/web.git
synced 2025-12-25 05:05:33 +00:00
make use of utils.escapeHtml on the JS side of things, and html_entity_decode/htmlentities in PHP
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
This commit is contained in:
Adam Warner
@@ -5,6 +5,8 @@
|
||||
* This file is copyright under the latest version of the EUPL.
|
||||
* Please see LICENSE file for your rights under this license. */
|
||||
|
||||
/* global utils:false */
|
||||
|
||||
var table;
|
||||
var token = $("#token").text();
|
||||
|
||||
@@ -76,8 +78,8 @@ $(function () {
|
||||
});
|
||||
|
||||
function addCustomDNS() {
|
||||
var ip = $("#ip").val();
|
||||
var domain = $("#domain").val();
|
||||
var ip = utils.escapeHtml($("#ip").val());
|
||||
var domain = utils.escapeHtml($("#domain").val());
|
||||
|
||||
showAlert("info");
|
||||
$.ajax({
|
||||
|
||||
@@ -212,8 +212,8 @@ function initTable() {
|
||||
}
|
||||
|
||||
function addAdlist() {
|
||||
var address = $("#new_address").val();
|
||||
var comment = $("#new_comment").val();
|
||||
var address = utils.escapeHtml($("#new_address").val());
|
||||
var comment = utils.escapeHtml($("#new_comment").val());
|
||||
|
||||
utils.disableAll();
|
||||
utils.showAlert("info", "", "Adding adlist...", address);
|
||||
@@ -258,9 +258,9 @@ function editAdlist() {
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var status = tr.find("#status_" + id).is(":checked") ? 1 : 0;
|
||||
var comment = tr.find("#comment_" + id).val();
|
||||
var comment = utils.escapeHtml(tr.find("#comment_" + id).val());
|
||||
var groups = tr.find("#multiselect_" + id).val();
|
||||
var address = tr.find("#address_" + id).text();
|
||||
var address = utils.escapeHtml(tr.find("#address_" + id).text());
|
||||
|
||||
var done = "edited";
|
||||
var notDone = "editing";
|
||||
@@ -338,7 +338,7 @@ function editAdlist() {
|
||||
function deleteAdlist() {
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var address = tr.find("#address_" + id).text();
|
||||
var address = utils.escapeHtml(tr.find("#address_" + id).text());
|
||||
|
||||
utils.disableAll();
|
||||
utils.showAlert("info", "", "Deleting adlist...", address);
|
||||
|
||||
@@ -246,9 +246,9 @@ function initTable() {
|
||||
|
||||
function addClient() {
|
||||
var ip = $("#select").val();
|
||||
var comment = $("#new_comment").val();
|
||||
var comment = utils.escapeHtml($("#new_comment").val());
|
||||
if (ip === "custom") {
|
||||
ip = $("#ip-custom").val().trim();
|
||||
ip = utils.escapeHtml($("#ip-custom").val().trim());
|
||||
}
|
||||
|
||||
utils.disableAll();
|
||||
@@ -303,9 +303,9 @@ function editClient() {
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var groups = tr.find("#multiselect_" + id).val();
|
||||
var ip = tr.find("#ip_" + id).text();
|
||||
var name = tr.find("#name_" + id).text();
|
||||
var comment = tr.find("#comment_" + id).val();
|
||||
var ip = utils.escapeHtml(tr.find("#ip_" + id).text());
|
||||
var name = utils.escapeHtml(tr.find("#name_" + id).text());
|
||||
var comment = utils.escapeHtml(tr.find("#comment_" + id).val());
|
||||
|
||||
var done = "edited";
|
||||
var notDone = "editing";
|
||||
@@ -370,7 +370,7 @@ function deleteClient() {
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var ip = tr.find("#ip_" + id).text();
|
||||
var name = tr.find("#name_" + id).text();
|
||||
var name = utils.escapeHtml(tr.find("#name_" + id).text());
|
||||
|
||||
if (name.length > 0) {
|
||||
ip += " (" + name + ")";
|
||||
|
||||
@@ -318,8 +318,8 @@ function addDomain() {
|
||||
commentEl = $("#new_regex_comment");
|
||||
}
|
||||
|
||||
var domain = domainEl.val();
|
||||
var comment = commentEl.val();
|
||||
var domain = utils.escapeHtml(domainEl.val());
|
||||
var comment = utils.escapeHtml(commentEl.val());
|
||||
|
||||
utils.disableAll();
|
||||
utils.showAlert("info", "", "Adding " + domainRegex + "...", domain);
|
||||
@@ -385,10 +385,10 @@ function editDomain() {
|
||||
var elem = $(this).attr("id");
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var domain = tr.find("#domain_" + id).text();
|
||||
var domain = utils.escapeHtml(tr.find("#domain_" + id).text());
|
||||
var type = tr.find("#type_" + id).val();
|
||||
var status = tr.find("#status_" + id).is(":checked") ? 1 : 0;
|
||||
var comment = tr.find("#comment_" + id).val();
|
||||
var comment = utils.escapeHtml(tr.find("#comment_" + id).val());
|
||||
|
||||
// Show group assignment field only if in full domain management mode
|
||||
// if not included, just use the row data.
|
||||
@@ -485,7 +485,7 @@ function editDomain() {
|
||||
function deleteDomain() {
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var domain = tr.find("#domain_" + id).text();
|
||||
var domain = utils.escapeHtml(tr.find("#domain_" + id).text());
|
||||
var type = tr.find("#type_" + id).val();
|
||||
|
||||
var domainRegex;
|
||||
|
||||
@@ -127,8 +127,8 @@ $(function () {
|
||||
});
|
||||
|
||||
function addGroup() {
|
||||
var name = $("#new_name").val();
|
||||
var desc = $("#new_desc").val();
|
||||
var name = utils.escapeHtml($("#new_name").val());
|
||||
var desc = utils.escapeHtml($("#new_desc").val());
|
||||
|
||||
utils.disableAll();
|
||||
utils.showAlert("info", "", "Adding group...", name);
|
||||
@@ -166,9 +166,9 @@ function editGroup() {
|
||||
var elem = $(this).attr("id");
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var name = tr.find("#name_" + id).val();
|
||||
var name = utils.escapeHtml(tr.find("#name_" + id).val());
|
||||
var status = tr.find("#status_" + id).is(":checked") ? 1 : 0;
|
||||
var desc = tr.find("#desc_" + id).val();
|
||||
var desc = utils.escapeHtml(tr.find("#desc_" + id).val());
|
||||
|
||||
var done = "edited";
|
||||
var notDone = "editing";
|
||||
@@ -239,7 +239,7 @@ function editGroup() {
|
||||
function deleteGroup() {
|
||||
var tr = $(this).closest("tr");
|
||||
var id = tr.attr("data-id");
|
||||
var name = tr.find("#name_" + id).val();
|
||||
var name = utils.escapeHtml(tr.find("#name_" + id).val());
|
||||
|
||||
utils.disableAll();
|
||||
utils.showAlert("info", "", "Deleting group...", name);
|
||||
|
||||
@@ -161,9 +161,9 @@ function add_to_table($db, $table, $domains, $comment=null, $wildcardstyle=false
|
||||
if($wildcardstyle)
|
||||
$domain = "(\\.|^)".str_replace(".","\\.",$domain)."$";
|
||||
|
||||
$stmt->bindValue(":$field", $domain, SQLITE3_TEXT);
|
||||
$stmt->bindValue(":$field", htmlentities($domain), SQLITE3_TEXT);
|
||||
if($bindcomment) {
|
||||
$stmt->bindValue(":comment", $comment, SQLITE3_TEXT);
|
||||
$stmt->bindValue(":comment", htmlentities($comment), SQLITE3_TEXT);
|
||||
}
|
||||
|
||||
if($stmt->execute() && $stmt->reset())
|
||||
|
||||
@@ -214,31 +214,34 @@ function deleteCustomDNSEntry()
|
||||
|
||||
function deleteAllCustomDNSEntries()
|
||||
{
|
||||
$handle = fopen($customDNSFile, "r");
|
||||
if ($handle)
|
||||
if (isset($customDNSFile))
|
||||
{
|
||||
try
|
||||
$handle = fopen($customDNSFile, "r");
|
||||
if ($handle)
|
||||
{
|
||||
while (($line = fgets($handle)) !== false) {
|
||||
$line = str_replace("\r","", $line);
|
||||
$line = str_replace("\n","", $line);
|
||||
$explodedLine = explode (" ", $line);
|
||||
try
|
||||
{
|
||||
while (($line = fgets($handle)) !== false) {
|
||||
$line = str_replace("\r","", $line);
|
||||
$line = str_replace("\n","", $line);
|
||||
$explodedLine = explode (" ", $line);
|
||||
|
||||
if (count($explodedLine) != 2)
|
||||
continue;
|
||||
if (count($explodedLine) != 2)
|
||||
continue;
|
||||
|
||||
$ip = $explodedLine[0];
|
||||
$domain = $explodedLine[1];
|
||||
$ip = $explodedLine[0];
|
||||
$domain = $explodedLine[1];
|
||||
|
||||
pihole_execute("-a removecustomdns ".$ip." ".$domain);
|
||||
pihole_execute("-a removecustomdns ".$ip." ".$domain);
|
||||
}
|
||||
}
|
||||
catch (\Exception $ex)
|
||||
{
|
||||
return errorJsonResponse($ex->getMessage());
|
||||
}
|
||||
}
|
||||
catch (\Exception $ex)
|
||||
{
|
||||
return errorJsonResponse($ex->getMessage());
|
||||
}
|
||||
|
||||
fclose($handle);
|
||||
fclose($handle);
|
||||
}
|
||||
}
|
||||
|
||||
return successJsonResponse();
|
||||
|
||||
@@ -58,7 +58,8 @@ if ($_POST['action'] == 'get_groups') {
|
||||
} elseif ($_POST['action'] == 'add_group') {
|
||||
// Add new group
|
||||
try {
|
||||
$names = str_getcsv(trim($_POST['name']), ' ');
|
||||
$input = html_entity_decode(trim($_POST['name']));
|
||||
$names = str_getcsv($input, ' ');
|
||||
$total = count($names);
|
||||
$added = 0;
|
||||
$stmt = $db->prepare('INSERT INTO "group" (name,description) VALUES (:name,:desc)');
|
||||
@@ -96,6 +97,9 @@ if ($_POST['action'] == 'get_groups') {
|
||||
} elseif ($_POST['action'] == 'edit_group') {
|
||||
// Edit group identified by ID
|
||||
try {
|
||||
$name = html_entity_decode($_POST['name']);
|
||||
$desc = html_entity_decode($_POST['desc']);
|
||||
|
||||
$stmt = $db->prepare('UPDATE "group" SET enabled=:enabled, name=:name, description=:desc WHERE id = :id');
|
||||
if (!$stmt) {
|
||||
throw new Exception('While preparing statement: ' . $db->lastErrorMsg());
|
||||
@@ -106,11 +110,10 @@ if ($_POST['action'] == 'get_groups') {
|
||||
throw new Exception('While binding enabled: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
if (!$stmt->bindValue(':name', $_POST['name'], SQLITE3_TEXT)) {
|
||||
if (!$stmt->bindValue(':name', $name, SQLITE3_TEXT)) {
|
||||
throw new Exception('While binding name: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
$desc = $_POST['desc'];
|
||||
if (strlen($desc) === 0) {
|
||||
// Store NULL in database for empty descriptions
|
||||
$desc = null;
|
||||
@@ -263,7 +266,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
throw new Exception('While binding ip: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
$comment = $_POST['comment'];
|
||||
$comment = html_entity_decode($_POST['comment']);
|
||||
if (strlen($comment) === 0) {
|
||||
// Store NULL in database for empty comments
|
||||
$comment = null;
|
||||
@@ -293,7 +296,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
throw new Exception('While preparing statement: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
$comment = $_POST['comment'];
|
||||
$comment = html_entity_decode($_POST['comment']);
|
||||
if (strlen($comment) === 0) {
|
||||
// Store NULL in database for empty comments
|
||||
$comment = null;
|
||||
@@ -453,7 +456,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
} elseif ($_POST['action'] == 'add_domain') {
|
||||
// Add new domain
|
||||
try {
|
||||
$domains = explode(' ', trim($_POST['domain']));
|
||||
$domains = explode(' ', html_entity_decode(trim($_POST['domain'])));
|
||||
$before = intval($db->querySingle("SELECT COUNT(*) FROM domainlist;"));
|
||||
$total = count($domains);
|
||||
$added = 0;
|
||||
@@ -474,7 +477,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
throw new Exception('While binding type: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
$comment = $_POST['comment'];
|
||||
$comment = html_entity_decode($_POST['comment']);
|
||||
if (strlen($comment) === 0) {
|
||||
// Store NULL in database for empty comments
|
||||
$comment = null;
|
||||
@@ -573,7 +576,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
throw new Exception('While binding enabled: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
$comment = $_POST['comment'];
|
||||
$comment = html_entity_decode($_POST['comment']);
|
||||
if (strlen($comment) === 0) {
|
||||
// Store NULL in database for empty comments
|
||||
$comment = null;
|
||||
@@ -742,7 +745,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
} elseif ($_POST['action'] == 'add_adlist') {
|
||||
// Add new adlist
|
||||
try {
|
||||
$addresses = explode(' ', trim($_POST['address']));
|
||||
$addresses = explode(' ', html_entity_decode(trim($_POST['address'])));
|
||||
$total = count($addresses);
|
||||
$added = 0;
|
||||
|
||||
@@ -751,7 +754,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
throw new Exception('While preparing statement: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
$comment = $_POST['comment'];
|
||||
$comment = html_entity_decode($_POST['comment']);
|
||||
if (strlen($comment) === 0) {
|
||||
// Store NULL in database for empty comments
|
||||
$comment = null;
|
||||
@@ -800,7 +803,7 @@ if ($_POST['action'] == 'get_groups') {
|
||||
throw new Exception('While binding enabled: ' . $db->lastErrorMsg());
|
||||
}
|
||||
|
||||
$comment = $_POST['comment'];
|
||||
$comment = html_entity_decode($_POST['comment']);
|
||||
if (strlen($comment) === 0) {
|
||||
// Store NULL in database for empty comments
|
||||
$comment = null;
|
||||
|
||||
@@ -173,7 +173,7 @@ function archive_restore_table($file, $table, $flush=false)
|
||||
foreach($contents as $row)
|
||||
{
|
||||
// Limit max length for a domain entry to 253 chars
|
||||
if(strlen($row[$field]) > 253)
|
||||
if(isset($field) && strlen($row[$field]) > 253)
|
||||
continue;
|
||||
|
||||
// Bind properties from JSON data
|
||||
@@ -196,7 +196,7 @@ function archive_restore_table($file, $table, $flush=false)
|
||||
default:
|
||||
$sqltype = "UNK";
|
||||
}
|
||||
$stmt->bindValue(":".$key, $value, $sqltype);
|
||||
$stmt->bindValue(":".$key, htmlentities($value), $sqltype);
|
||||
}
|
||||
|
||||
if($stmt->execute() && $stmt->reset() && $stmt->clear())
|
||||
|
||||
Reference in New Issue
Block a user