From 9a4a11861a9f5a88c41f43751a40247983ac6416 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Wed, 11 Jan 2023 15:30:03 +0100
Subject: [PATCH] Fix some reflected XSS bugs

fixes #4979

(cherry picked from commit e542982de06be6b7bcab07be4f3a4423e84b8d7a)
---
 .../views/scripts/form/reorder-authbackend.phtml     | 12 +++++++++++-
 .../scripts/form/reorder-command-transports.phtml    | 10 +++++-----
 .../views/scripts/form/setup-modules.phtml           | 10 +++++-----
 .../views/scripts/form/setup-requirements.phtml      | 10 +++++-----
 .../views/scripts/form/setup-summary.phtml           | 10 +++++-----
 5 files changed, 31 insertions(+), 21 deletions(-)

diff --git a/application/views/scripts/form/reorder-authbackend.phtml b/application/views/scripts/form/reorder-authbackend.phtml
index 08a2431d1..34b10b323 100644
--- a/application/views/scripts/form/reorder-authbackend.phtml
+++ b/application/views/scripts/form/reorder-authbackend.phtml
@@ -1,4 +1,14 @@
-<form id="<?= $form->getId() ?>" name="<?= $form->getName() ?>" enctype="<?= $form->getEncType() ?>" method="<?= $form->getMethod() ?>" action="<?= $form->getAction() ?>">
+<form id="<?=
+$this->escape($form->getId())
+?>" name="<?=
+$this->escape($form->getName())
+?>" enctype="<?=
+$this->escape($form->getEncType())
+?>" method="<?=
+$this->escape($form->getMethod())
+?>" action="<?=
+$this->escape($form->getAction())
+?>">
   <table class="table-row-selectable common-table" data-base-target="_next">
     <thead>
       <th><?= $this->translate('Backend') ?></th>
diff --git a/modules/monitoring/application/views/scripts/form/reorder-command-transports.phtml b/modules/monitoring/application/views/scripts/form/reorder-command-transports.phtml
index 49fc8504e..2f81610fa 100644
--- a/modules/monitoring/application/views/scripts/form/reorder-command-transports.phtml
+++ b/modules/monitoring/application/views/scripts/form/reorder-command-transports.phtml
@@ -3,15 +3,15 @@
 /** @var \Icinga\Module\Monitoring\Forms\Config\TransportReorderForm $form */
 ?>
 <form id="<?=
-    $form->getId()
+$this->escape($form->getId())
 ?>" name="<?=
-    $form->getName()
+$this->escape($form->getName())
 ?>" enctype="<?=
-    $form->getEncType()
+$this->escape($form->getEncType())
 ?>" method="<?=
-    $form->getMethod()
+$this->escape($form->getMethod())
 ?>" action="<?=
-    $form->getAction()
+$this->escape($form->getAction())
 ?>">
     <table class="table-row-selectable common-table" data-base-target="_next">
         <thead>
diff --git a/modules/setup/application/views/scripts/form/setup-modules.phtml b/modules/setup/application/views/scripts/form/setup-modules.phtml
index 51a8c2a51..e57c7dcef 100644
--- a/modules/setup/application/views/scripts/form/setup-modules.phtml
+++ b/modules/setup/application/views/scripts/form/setup-modules.phtml
@@ -4,11 +4,11 @@ use Icinga\Web\Wizard;
 
 ?>
 <form
- id="<?= $form->getName(); ?>"
- name="<?= $form->getName(); ?>"
- enctype="<?= $form->getEncType(); ?>"
- method="<?= $form->getMethod(); ?>"
- action="<?= $form->getAction(); ?>"
+ id="<?= $this->escape($form->getName()); ?>"
+ name="<?= $this->escape($form->getName()); ?>"
+ enctype="<?= $this->escape($form->getEncType()); ?>"
+ method="<?= $this->escape($form->getMethod()); ?>"
+ action="<?= $this->escape($form->getAction()); ?>"
  class="icinga-controls"
  data-progress-element="<?= Wizard::PROGRESS_ELEMENT; ?>"
 >
diff --git a/modules/setup/application/views/scripts/form/setup-requirements.phtml b/modules/setup/application/views/scripts/form/setup-requirements.phtml
index ac1ef7b5d..544f284c6 100644
--- a/modules/setup/application/views/scripts/form/setup-requirements.phtml
+++ b/modules/setup/application/views/scripts/form/setup-requirements.phtml
@@ -14,11 +14,11 @@ if (! $form->getWizard()->getRequirements()->fulfilled()) {
 <?= $wizard->getRequirements(); ?>
 <?php endforeach ?>
 <form
- id="<?= $form->getName(); ?>"
- name="<?= $form->getName(); ?>"
- enctype="<?= $form->getEncType(); ?>"
- method="<?= $form->getMethod(); ?>"
- action="<?= $form->getAction(); ?>"
+ id="<?= $this->escape($form->getName()); ?>"
+ name="<?= $this->escape($form->getName()); ?>"
+ enctype="<?= $this->escape($form->getEncType()); ?>"
+ method="<?= $this->escape($form->getMethod()); ?>"
+ action="<?= $this->escape($form->getAction()); ?>"
  data-progress-element="<?= Wizard::PROGRESS_ELEMENT; ?>"
 >
   <?= $form->getElement($form->getTokenElementName()); ?>
diff --git a/modules/setup/application/views/scripts/form/setup-summary.phtml b/modules/setup/application/views/scripts/form/setup-summary.phtml
index bcd259288..3ad02652e 100644
--- a/modules/setup/application/views/scripts/form/setup-summary.phtml
+++ b/modules/setup/application/views/scripts/form/setup-summary.phtml
@@ -26,11 +26,11 @@ $form->getElement(Wizard::BTN_NEXT)->setAttrib(
 <?php endforeach ?>
 </div>
 <form
- id="<?= $form->getName(); ?>"
- name="<?= $form->getName(); ?>"
- enctype="<?= $form->getEncType(); ?>"
- method="<?= $form->getMethod(); ?>"
- action="<?= $form->getAction(); ?>"
+ id="<?= $this->escape($form->getName()); ?>"
+ name="<?= $this->escape($form->getName()); ?>"
+ enctype="<?= $this->escape($form->getEncType()); ?>"
+ method="<?= $this->escape($form->getMethod()); ?>"
+ action="<?= $this->escape($form->getAction()); ?>"
  data-progress-element="<?= Wizard::PROGRESS_ELEMENT; ?>"
  class="summary"
 >