From 69ff2d22f8c7e1218b74eb2f6a9b3ade227a3037 Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Tue, 22 May 2012 12:05:27 +0200
Subject: [PATCH] Fixed Cross Site scripting issue filter parameter on
 index.php

---
 src/include/functions_common.php | 41 ++++++++++++++++++++++++++++++--
 src/index.php                    |  4 ++--
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/src/include/functions_common.php b/src/include/functions_common.php
index 548b7c9..b0a7fa0 100644
--- a/src/include/functions_common.php
+++ b/src/include/functions_common.php
@@ -1341,7 +1341,7 @@ function OutputDebugMessage($szDbg, $szDbgLevel = DEBUG_INFO)
 			"DBGLEVEL" => $szDbgLevel, 
 			"DBGLEVELTXT" => GetDebugModeString($szDbgLevel), 
 			"DBGLEVELBG" => GetDebugBgColor($szDbgLevel), 
-			"DBGMSG" =>	"$szDbg"
+			"DBGMSG" =>	strip_dangerous_html_tags($szDbg)
 			);
 	}
 
@@ -1954,6 +1954,43 @@ function MultiSortArrayByItemCountAsc( $arrayFirst, $arraySecond )
 	// Move up or down
 	return ($arrayFirst['itemcount'] < $arraySecond['itemcount']) ? -1 : 1;
 }
-// --- 
 
+/**
+*	Helper function to remove dangerous HTML Tags
+*/
+function strip_dangerous_html_tags( $text ) 
+{ 
+	$text = preg_replace( 
+			array( 
+				// Remove invisible content 
+				'@<title[^>]*?>@siu',
+				'@</title>@siu', 
+				'@<head[^>]*?>@siu',
+				'@</head>@siu', 
+				'@<style[^>]*?>@siu', 
+				'@</style>@siu', 
+				'@<script[^>]*?>@siu', 
+				'@/script>@siu', 
+				'@<object[^>]*?>@siu', 
+				'@</object>@siu', 
+				'@<embed[^>]*?>@siu', 
+				'@</embed>@siu', 
+				'@<applet[^>]*?>@siu', 
+				'@</applet>@siu', 
+				'@<noframes[^>]*?>@siu', 
+				'@</noframes>@siu', 
+				'@<noscript[^>]*?>@siu', 
+				'@</noscript>@siu', 
+				'@<noembed[^>]*?>@siu', 
+				'@</noembed>@siu', 
+			), 
+			array( 
+				' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ',
+				' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ',
+			), $text ); 
+	
+	return $text; 
+}
+
+// --- 
 ?>
\ No newline at end of file
diff --git a/src/index.php b/src/index.php
index ba84b5a..2f41b3f 100644
--- a/src/index.php
+++ b/src/index.php
@@ -197,8 +197,8 @@ if ( (isset($_POST['search']) || isset($_GET['search'])) || (isset($_POST['filte
 $content['TITLE'] = InitPageTitle();
 
 // Append custom title part!
-if ( isset($content['searchstr']) && strlen($content['searchstr']) > 0 ) 
-	$content['TITLE'] .= " :: Results for the search '" . $content['searchstr'] . "'";	// Append search
+if ( isset($content['searchstr_htmlform']) && strlen($content['searchstr_htmlform']) > 0 ) 
+	$content['TITLE'] .= " :: Results for the search '" . $content['searchstr_htmlform'] . "'";	// Append search
 else
 	$content['TITLE'] .= " :: All Syslogmessages";
 // --- END CREATE TITLE