From cb5905b00099614f5f976cd106de045af70002f1 Mon Sep 17 00:00:00 2001
From: "alejandro.campos@artica.es" <alejandro.campos@artica.es>
Date: Fri, 11 Jun 2021 08:52:10 +0200
Subject: [PATCH 1/2] fixed xss vulnerability

---
 .../godmode/agentes/configurar_agente.php     |  4 +-
 .../agentes/module_manager_editor_common.php  |  2 +-
 pandora_console/include/javascript/pandora.js | 38 ++++++++++++-------
 3 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/pandora_console/godmode/agentes/configurar_agente.php b/pandora_console/godmode/agentes/configurar_agente.php
index 23f3437bd8..018409c8a0 100644
--- a/pandora_console/godmode/agentes/configurar_agente.php
+++ b/pandora_console/godmode/agentes/configurar_agente.php
@@ -2368,7 +2368,7 @@ switch ($tab) {
             
             var aget_id_os = '<?php echo agents_get_os(modules_get_agentmodule_agent(get_parameter('id_agent_module'))); ?>';
             
-            if('<?php echo html_entity_decode(modules_get_agentmodule_name(get_parameter('id_agent_module'))); ?>' != $('#text-name').val() &&
+            if('<?php echo modules_get_agentmodule_name(get_parameter('id_agent_module')); ?>' != $('#text-name').val() &&
              '<?php echo agents_get_os(modules_get_agentmodule_agent(get_parameter('id_agent_module'))); ?>' == 19){
                 
                 event.preventDefault();
@@ -2402,7 +2402,7 @@ switch ($tab) {
             
             var module_type_snmp =  '<?php echo modules_get_agentmodule_type(get_parameter('id_agent_module')); ?>';
             
-            if('<?php echo html_entity_decode(modules_get_agentmodule_name(get_parameter('id_agent_module'))); ?>' != $('#text-name').val() && (
+            if('<?php echo modules_get_agentmodule_name(get_parameter('id_agent_module')); ?>' != $('#text-name').val() && (
                 module_type_snmp == 15 || module_type_snmp == 16 || module_type_snmp == 17 || module_type_snmp == 18)){
                     
                     event.preventDefault();
diff --git a/pandora_console/godmode/agentes/module_manager_editor_common.php b/pandora_console/godmode/agentes/module_manager_editor_common.php
index dc0a0e4259..6e544c2395 100644
--- a/pandora_console/godmode/agentes/module_manager_editor_common.php
+++ b/pandora_console/godmode/agentes/module_manager_editor_common.php
@@ -214,7 +214,7 @@ $table_simple->colspan[3][1] = 3;
 $table_simple->data[0][0] = __('Name');
 $table_simple->data[0][1] = html_print_input_text_extended(
     'name',
-    io_safe_input(html_entity_decode($name, ENT_QUOTES, 'UTF-8')),
+    $name,
     'text-name',
     '',
     45,
diff --git a/pandora_console/include/javascript/pandora.js b/pandora_console/include/javascript/pandora.js
index a9a742f0cd..83c1c20b34 100644
--- a/pandora_console/include/javascript/pandora.js
+++ b/pandora_console/include/javascript/pandora.js
@@ -281,11 +281,11 @@ function agent_changed_by_multiple_agents(event, id_agent, selected) {
       $.each(data, function(i, val) {
         var s = js_html_entity_decode(val);
 
+        s = s.replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+        i = i.replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+
         $("#module").append(
-          $("<option></option>")
-            .html(s)
-            .attr("value", i)
-            .attr("title", s)
+          $('<option value="' + i + '" title="' + s + '"></option>').text(val)
         );
 
         all_common_modules.push(i);
@@ -385,12 +385,11 @@ function agent_changed_by_multiple_agents_with_alerts(
         }
       }
       jQuery.each(data, function(i, val) {
-        s = js_html_entity_decode(val);
-        $("#module").append(
-          $("<option></option>")
-            .html(s)
-            .attr("value", val)
-        );
+        var s = js_html_entity_decode(val);
+
+        s = s.replace(/"/g, "&quot;").replace(/'/g, "&apos;");
+
+        $("#module").append($('<option value="' + s + '"></option>').text(val));
         $("#module").fadeIn("normal");
       });
       if (selected != undefined) $("#module").attr("value", selected);
@@ -481,12 +480,23 @@ function alert_templates_changed_by_multiple_agents_with_alerts(
         }
       }
       jQuery.each(data, function(i, val) {
-        s = js_html_entity_decode(val);
+        var decoded_val = js_html_entity_decode(val);
+        console.log("161616");
+
+        decoded_val = decoded_val
+          .replace(/"/g, "&quot;")
+          .replace(/'/g, "&apos;");
+
         $("#module").append(
-          $("<option></option>")
-            .html(s)
-            .attr("value", val)
+          $(
+            '<option value="' +
+              decoded_val +
+              '" title="' +
+              decoded_val +
+              '"></option>'
+          ).text(val)
         );
+
         $("#module").fadeIn("normal");
       });
       if (selected != undefined) $("#module").attr("value", selected);

From 98f0bc9facad25859f941a9ce044fae732eebd65 Mon Sep 17 00:00:00 2001
From: "alejandro.campos@artica.es" <alejandro.campos@artica.es>
Date: Fri, 11 Jun 2021 08:54:00 +0200
Subject: [PATCH 2/2] fixed xss vulnerability

---
 pandora_console/include/javascript/pandora.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pandora_console/include/javascript/pandora.js b/pandora_console/include/javascript/pandora.js
index 83c1c20b34..9f54c5f7c5 100644
--- a/pandora_console/include/javascript/pandora.js
+++ b/pandora_console/include/javascript/pandora.js
@@ -481,7 +481,6 @@ function alert_templates_changed_by_multiple_agents_with_alerts(
       }
       jQuery.each(data, function(i, val) {
         var decoded_val = js_html_entity_decode(val);
-        console.log("161616");
 
         decoded_val = decoded_val
           .replace(/"/g, "&quot;")