tyler.durden/loganalyzer
1
0
Fork 0
mirror of https://github.com/rsyslog/loganalyzer.git synced 2025-09-25 10:57:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed Cross Site scripting issue filter parameter on index.php

Browse Source
This commit is contained in:
Andre Lorbach 2012-05-22 12:05:27 +02:00
parent 0716c4ec9a
commit 69ff2d22f8
2 changed files with 41 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
src/include/functions_common.php
View File

@ -1341,7 +1341,7 @@ function OutputDebugMessage($szDbg, $szDbgLevel = DEBUG_INFO)
"DBGLEVEL" => $szDbgLevel, "DBGLEVEL" => $szDbgLevel,
"DBGLEVELTXT" => GetDebugModeString($szDbgLevel), "DBGLEVELTXT" => GetDebugModeString($szDbgLevel),
"DBGLEVELBG" => GetDebugBgColor($szDbgLevel), "DBGLEVELBG" => GetDebugBgColor($szDbgLevel),
"DBGMSG" => "$szDbg" "DBGMSG" => strip_dangerous_html_tags($szDbg)
); );
} }
@ -1954,6 +1954,43 @@ function MultiSortArrayByItemCountAsc( $arrayFirst, $arraySecond )
// Move up or down // Move up or down
return ($arrayFirst['itemcount'] < $arraySecond['itemcount']) ? -1 : 1; return ($arrayFirst['itemcount'] < $arraySecond['itemcount']) ? -1 : 1;
} }
// ---
/**
* Helper function to remove dangerous HTML Tags
*/
function strip_dangerous_html_tags( $text )
{
$text = preg_replace(
array(
// Remove invisible content
'@<title[^>]*?>@siu',
'@</title>@siu',
'@<head[^>]*?>@siu',
'@</head>@siu',
'@<style[^>]*?>@siu',
'@</style>@siu',
'@<script[^>]*?>@siu',
'@/script>@siu',
'@<object[^>]*?>@siu',
'@</object>@siu',
'@<embed[^>]*?>@siu',
'@</embed>@siu',
'@<applet[^>]*?>@siu',
'@</applet>@siu',
'@<noframes[^>]*?>@siu',
'@</noframes>@siu',
'@<noscript[^>]*?>@siu',
'@</noscript>@siu',
'@<noembed[^>]*?>@siu',
'@</noembed>@siu',
),
array(
' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ',
' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ',
), $text );
return $text;
}
// ---
?> ?>

4
src/index.php
View File

@ -197,8 +197,8 @@ if ( (isset($_POST['search']) || isset($_GET['search'])) || (isset($_POST['filte
$content['TITLE'] = InitPageTitle(); $content['TITLE'] = InitPageTitle();
// Append custom title part! // Append custom title part!
if ( isset($content['searchstr']) && strlen($content['searchstr']) > 0 ) if ( isset($content['searchstr_htmlform']) && strlen($content['searchstr_htmlform']) > 0 )
$content['TITLE'] .= " :: Results for the search '" . $content['searchstr'] . "'"; // Append search $content['TITLE'] .= " :: Results for the search '" . $content['searchstr_htmlform'] . "'"; // Append search
else else
$content['TITLE'] .= " :: All Syslogmessages"; $content['TITLE'] .= " :: All Syslogmessages";
// --- END CREATE TITLE // --- END CREATE TITLE