Fixed xss event comments vulnerabiluty and some acls on event ajax

pandora_console/include/ajax/events.php

@@ -871,6 +871,11 @@ if ($get_response_description) {
 }
 
 if ($get_response_params) {
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = get_parameter('response_id');
 
     $params = db_get_value('params', 'tevent_response', 'id', $response_id);
@@ -885,6 +890,11 @@ if ($get_response_params) {
 }
 
 if ($get_response_target) {
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = (int) get_parameter('response_id');
     $event_id = (int) get_parameter('event_id');
     $server_id = (int) get_parameter('server_id');
@@ -901,6 +911,11 @@ if ($get_response_target) {
 }
 
 if ($get_response) {
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = get_parameter('response_id');
 
     $event_response = db_get_row('tevent_response', 'id', $response_id);
@@ -917,6 +932,11 @@ if ($get_response) {
 if ($perform_event_response) {
     global $config;
 
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $response_id = get_parameter('response_id');
     $event_id = (int) get_parameter('event_id');
     $server_id = (int) get_parameter('server_id', 0);
@@ -1011,6 +1031,11 @@ if ($perform_event_response) {
 if ($dialogue_event_response) {
     global $config;
 
+    if (! check_acl($config['id_user'], 0, 'EW')) {
+        echo 'unauthorized';
+        return;
+    }
+
     $event_id = get_parameter('event_id');
     $response_id = get_parameter('response_id');
     $command = get_parameter('target');

pandora_console/include/functions_events.php

@@ -2118,7 +2118,7 @@ function events_comment(
 
     switch ($comments_format) {
         case 'new':
-            $comment_for_json['comment'] = $comment;
+            $comment_for_json['comment'] = io_safe_input($comment);
             $comment_for_json['action'] = $action;
             $comment_for_json['id_user'] = $config['id_user'];
             $comment_for_json['utimestamp'] = time();
@@ -2141,7 +2141,7 @@ function events_comment(
             $comment = str_replace(["\r\n", "\r", "\n"], '<br>', $comment);
 
             if ($comment != '') {
-                $commentbox = '<div style="border:1px dotted #CCC; min-height: 10px;">'.$comment.'</div>';
+                $commentbox = '<div style="border:1px dotted #CCC; min-height: 10px;">'.io_safe_input($comment).'</div>';
             } else {
                 $commentbox = '';
             }

pandora_console/operation/events/events.build_table.php

@@ -982,6 +982,7 @@ if ($group_rep == 2) {
                 $array_events_actions[$val['id']] = $val['name'];
             }
 
+            if (check_acl($config['id_user'], 0, 'EW')) {
                 if ($config['event_replication'] != 1) {
                     echo '<div style="width:100%;text-align:right;">';
                     echo '<form method="post" id="form_event_response">';
@@ -1002,6 +1003,7 @@ if ($group_rep == 2) {
                     echo '</div>';
                 }
             }
+        }
 
         ?>
             <script type="text/javascript">

pandora_console/operation/events/events.php

@@ -1530,7 +1530,7 @@ foreach ($event_responses as $val) {
     $array_events_actions[$val['id']] = $val['name'];
 }
 
-
+if (check_acl($config['id_user'], 0, 'EW')) {
     echo '<div class="multi-response-buttons">';
     echo '<form method="post" id="form_event_response">';
     echo '<input type="hidden" id="max_execution_event_response" value="'.$config['max_execution_event_response'].'" />';
@@ -1549,7 +1549,7 @@ echo __(
         'Please, select an event'
     ).'</span>';
     echo '</div>';
-
+}
 
 // Close viewer.
 enterprise_hook('close_meta_frame');