From c953e4f92dbbb74337c5ecf37990b6dbea83071d Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Tue, 2 Feb 2021 16:01:29 +0100
Subject: [PATCH] monitoring/list/hosts: Protect custom variables added with
 `?addColumns`

---
 modules/monitoring/application/views/scripts/list/hosts.phtml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/monitoring/application/views/scripts/list/hosts.phtml b/modules/monitoring/application/views/scripts/list/hosts.phtml
index 5ff6aea72..c412f2f52 100644
--- a/modules/monitoring/application/views/scripts/list/hosts.phtml
+++ b/modules/monitoring/application/views/scripts/list/hosts.phtml
@@ -92,7 +92,11 @@ if (! $this->compact): ?>
                 <p class="overview-plugin-output"><?= $this->pluginOutput($this->ellipsis($host->host_output, 10000), true, $host->host_check_command) ?></p>
             </td>
         <?php foreach($this->addColumns as $col): ?>
+          <?php if ($host->$col && preg_match('~^_(host|service)_([a-zA-Z0-9_]+)$~', $col, $m)): ?>
+            <td><?= $this->escape(\Icinga\Module\Monitoring\Object\MonitoredObject::protectCustomVars([$m[2] => $host->$col])[$m[2]]) ?></td>
+          <?php else: ?>
             <td><?= $this->escape($host->$col) ?></td>
+          <?php endif ?>
         <?php endforeach ?>
         </tr>
     <?php endforeach ?>