From e035f5b9f295ac36860797ddfe21c9a2b29c8ca2 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Tue, 2 Feb 2021 16:06:32 +0100
Subject: [PATCH] monitoring/list/services: Protect custom variables added with
 `?addColumns`

---
 .../monitoring/application/views/scripts/list/services.phtml  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/monitoring/application/views/scripts/list/services.phtml b/modules/monitoring/application/views/scripts/list/services.phtml
index 9b785a073..35835876b 100644
--- a/modules/monitoring/application/views/scripts/list/services.phtml
+++ b/modules/monitoring/application/views/scripts/list/services.phtml
@@ -120,7 +120,11 @@ if (! $this->compact): ?>
                 </div>
             </td>
         <?php foreach($this->addColumns as $col): ?>
+          <?php if ($service->$col && preg_match('~^_(host|service)_([a-zA-Z0-9_]+)$~', $col, $m)): ?>
+            <td><?= $this->escape(\Icinga\Module\Monitoring\Object\MonitoredObject::protectCustomVars([$m[2] => $service->$col])[$m[2]]) ?></td>
+          <?php else: ?>
             <td><?= $this->escape($service->$col) ?></td>
+          <?php endif ?>
         <?php endforeach ?>
         </tr>
     <?php endforeach ?>