Merge branch 'ent-7657-Vulnerabilidad-xss-en-nombre-de-modulos' into 'develop'

fixed xss vulnerability

See merge request artica/pandorafms!4196

pandora_console/godmode/agentes/configurar_agente.php

@@ -2368,7 +2368,7 @@ switch ($tab) {
             
             var aget_id_os = '<?php echo agents_get_os(modules_get_agentmodule_agent(get_parameter('id_agent_module'))); ?>';
             
-            if('<?php echo html_entity_decode(modules_get_agentmodule_name(get_parameter('id_agent_module'))); ?>' != $('#text-name').val() &&
+            if('<?php echo modules_get_agentmodule_name(get_parameter('id_agent_module')); ?>' != $('#text-name').val() &&
              '<?php echo agents_get_os(modules_get_agentmodule_agent(get_parameter('id_agent_module'))); ?>' == 19){
                 
                 event.preventDefault();
@@ -2402,7 +2402,7 @@ switch ($tab) {
             
             var module_type_snmp =  '<?php echo modules_get_agentmodule_type(get_parameter('id_agent_module')); ?>';
             
-            if('<?php echo html_entity_decode(modules_get_agentmodule_name(get_parameter('id_agent_module'))); ?>' != $('#text-name').val() && (
+            if('<?php echo modules_get_agentmodule_name(get_parameter('id_agent_module')); ?>' != $('#text-name').val() && (
                 module_type_snmp == 15 || module_type_snmp == 16 || module_type_snmp == 17 || module_type_snmp == 18)){
                     
                     event.preventDefault();

pandora_console/godmode/agentes/module_manager_editor_common.php

@@ -215,7 +215,7 @@ $table_simple->colspan[3][1] = 3;
 $table_simple->data[0][0] = __('Name');
 $table_simple->data[0][1] = html_print_input_text_extended(
     'name',
-    io_safe_input(html_entity_decode($name, ENT_QUOTES, 'UTF-8')),
+    $name,
     'text-name',
     '',
     45,

pandora_console/include/javascript/pandora.js

@@ -281,11 +281,11 @@ function agent_changed_by_multiple_agents(event, id_agent, selected) {
       $.each(data, function(i, val) {
         var s = js_html_entity_decode(val);
 
+        s = s.replace(/"/g, """).replace(/'/g, "'");
+        i = i.replace(/"/g, """).replace(/'/g, "'");
+
         $("#module").append(
-          $("<option></option>")
-            .html(s)
-            .attr("value", i)
-            .attr("title", s)
+          $('<option value="' + i + '" title="' + s + '"></option>').text(val)
         );
 
         all_common_modules.push(i);
@@ -385,12 +385,11 @@ function agent_changed_by_multiple_agents_with_alerts(
         }
       }
       jQuery.each(data, function(i, val) {
-        s = js_html_entity_decode(val);
-        $("#module").append(
-          $("<option></option>")
-            .html(s)
-            .attr("value", val)
-        );
+        var s = js_html_entity_decode(val);
+
+        s = s.replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+
+        $("#module").append($('<option value="' + s + '"></option>').text(val));
         $("#module").fadeIn("normal");
       });
       if (selected != undefined) $("#module").attr("value", selected);
@@ -481,12 +480,22 @@ function alert_templates_changed_by_multiple_agents_with_alerts(
         }
       }
       jQuery.each(data, function(i, val) {
-        s = js_html_entity_decode(val);
+        var decoded_val = js_html_entity_decode(val);
+
+        decoded_val = decoded_val
+          .replace(/"/g, "&quot;")
+          .replace(/'/g, "&apos;");
+
         $("#module").append(
-          $("<option></option>")
-            .html(s)
-            .attr("value", val)
+          $(
+            '<option value="' +
+              decoded_val +
+              '" title="' +
+              decoded_val +
+              '"></option>'
+          ).text(val)
         );
+
         $("#module").fadeIn("normal");
       });
       if (selected != undefined) $("#module").attr("value", selected);