From 30f621a49f63e711a8881a031e1a1730beeff734 Mon Sep 17 00:00:00 2001 From: Andre Lorbach Date: Mon, 1 Sep 2014 16:37:46 +0200 Subject: [PATCH] Fixed Cross Site Scripting Issue In index.php/detail.php for stringtype fields --- ChangeLog | 4 +++- src/details.php | 2 +- src/index.php | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3658198..348bf73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,9 +1,11 @@ --------------------------------------------------------------------------- -Version 3.6.6 (stable), 2014-??-?? +Version 3.6.6 (stable), 2014-09-01 - Fixed bug in databasemapping admin. The form parameter and database fieldname of EventID field were interfering. - Fixed a bug in maintenance.php, the ID parameter was forced to an integer. A leftover from earlier loganalyzer days. +- Fixed Cross Site Scripting Issue in index.php/detail.php for + stringtype fields. --------------------------------------------------------------------------- Version 3.6.5 (stable), 2013-10-08 - LogStreamDB Driver, LogStreamPDO Driver, UserDB: diff --git a/src/details.php b/src/details.php index 50f4565..f7e0fb6 100644 --- a/src/details.php +++ b/src/details.php @@ -286,7 +286,7 @@ if ( isset($content['Sources'][$currentSourceID]) ) // && $content['uid_current' if ( $mycolkey == SYSLOG_MESSAGE ) $content['fields'][$mycolkey]['fieldvalue'] = ReplaceLineBreaksInString( GetStringWithHTMLCodes($logArray[$mycolkey]) ); else // kindly copy! - $content['fields'][$mycolkey]['fieldvalue'] = ReplaceLineBreaksInString( $logArray[$mycolkey] ); + $content['fields'][$mycolkey]['fieldvalue'] = ReplaceLineBreaksInString( GetStringWithHTMLCodes($logArray[$mycolkey]) ); // --- HOOK here to add context links! AddContextLinks($content['fields'][$mycolkey]['fieldvalue']); diff --git a/src/index.php b/src/index.php index d0fcafa..ff605f1 100644 --- a/src/index.php +++ b/src/index.php @@ -573,7 +573,7 @@ if ( isset($content['Sources'][$currentSourceID]) ) // --- } else // Just set field value - $content['syslogmessages'][$counter]['values'][$mycolkey]['messagesdetails'][$myIndex]['detailfieldvalue'] = isset($myfield['rawfieldvalue']) ? $myfield['rawfieldvalue'] : $myfield['fieldvalue']; + $content['syslogmessages'][$counter]['values'][$mycolkey]['messagesdetails'][$myIndex]['detailfieldvalue'] = isset($myfield['rawfieldvalue']) ? GetStringWithHTMLCodes($myfield['rawfieldvalue']) : GetStringWithHTMLCodes($myfield['fieldvalue']); } }