aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/inc/html.inc.php
diff options
context:
space:
mode:
authorPeter Wu2014-07-20 23:23:17 +0200
committerPeter Wu2014-07-20 23:23:17 +0200
commitc7283e1cae6bbdc13464a77ae7f22bd9489fe089 (patch)
treeffc767ddc0392b286d5cec0f053cf09796333077 /inc/html.inc.php
parentgraph: don't overwrite config rrdtool_opts by rrdtool_opts from json plugin (diff)
downloadapt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.zip
apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.gz
apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.bz2
apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.xz
Defensive programming: more urlencode/htmlentities
Make build_url return an URL, not HTML. This separates presentation from data. plugin_header's return value is unused, remove the unnecessary return. At places where `printf("<tag att='%s'>", $x);` is used, it is now converted to `printf("<tag att=\"%s\">", htmlentities($x));` since the single quote is not escaped by default by htmlentities. In case the canvas style is used, JS should use `textContent` instead of `innerHTML` to avoid reading `&quot;` instead of `"`. Nobody (should) use(s) IE6 anymore, so it is a safe change. While at it, use the standard charset attribute of meta to specify the character set (UTF-8).
Diffstat (limited to '')
-rw-r--r--inc/html.inc.php98
1 files changed, 51 insertions, 47 deletions
diff --git a/inc/html.inc.php b/inc/html.inc.php
index 69609d8..b8d2f82 100644
--- a/inc/html.inc.php
+++ b/inc/html.inc.php
@@ -11,14 +11,15 @@ function html_start() {
11 global $CONFIG; 11 global $CONFIG;
12 12
13 $path = htmlentities(breadcrumbs()); 13 $path = htmlentities(breadcrumbs());
14 $html_weburl = htmlentities($CONFIG['weburl']);
14 15
15 echo <<<EOT 16 echo <<<EOT
16<!DOCTYPE html> 17<!DOCTYPE html>
17<html> 18<html>
18<head> 19<head>
19 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 20 <meta charset="utf-8">
20 <title>CGP{$path}</title> 21 <title>CGP{$path}</title>
21 <link rel="stylesheet" href="{$CONFIG['weburl']}layout/style.css" type="text/css"> 22 <link rel="stylesheet" href="{$html_weburl}layout/style.css" type="text/css">
22 <meta name="viewport" content="width=1050, initial-scale=1.0, maximum-scale=1.0, user-scalable=yes"> 23 <meta name="viewport" content="width=1050, initial-scale=1.0, maximum-scale=1.0, user-scalable=yes">
23 24
24EOT; 25EOT;
@@ -31,16 +32,16 @@ EOT;
31 32
32 if ($CONFIG['graph_type'] == 'canvas') { 33 if ($CONFIG['graph_type'] == 'canvas') {
33 echo <<<EOT 34 echo <<<EOT
34 <script type="text/javascript" src="{$CONFIG['weburl']}js/sprintf.js"></script> 35 <script type="text/javascript" src="{$html_weburl}js/sprintf.js"></script>
35 <script type="text/javascript" src="{$CONFIG['weburl']}js/strftime.js"></script> 36 <script type="text/javascript" src="{$html_weburl}js/strftime.js"></script>
36 <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdRpn.js"></script> 37 <script type="text/javascript" src="{$html_weburl}js/RrdRpn.js"></script>
37 <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdTime.js"></script> 38 <script type="text/javascript" src="{$html_weburl}js/RrdTime.js"></script>
38 <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdGraph.js"></script> 39 <script type="text/javascript" src="{$html_weburl}js/RrdGraph.js"></script>
39 <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdGfxCanvas.js"></script> 40 <script type="text/javascript" src="{$html_weburl}js/RrdGfxCanvas.js"></script>
40 <script type="text/javascript" src="{$CONFIG['weburl']}js/binaryXHR.js"></script> 41 <script type="text/javascript" src="{$html_weburl}js/binaryXHR.js"></script>
41 <script type="text/javascript" src="{$CONFIG['weburl']}js/rrdFile.js"></script> 42 <script type="text/javascript" src="{$html_weburl}js/rrdFile.js"></script>
42 <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdDataFile.js"></script> 43 <script type="text/javascript" src="{$html_weburl}js/RrdDataFile.js"></script>
43 <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdCmdLine.js"></script> 44 <script type="text/javascript" src="{$html_weburl}js/RrdCmdLine.js"></script>
44 45
45EOT; 46EOT;
46 } 47 }
@@ -50,7 +51,7 @@ echo <<<EOT
50<body> 51<body>
51 52
52<div id="header"> 53<div id="header">
53 <h1><a href="{$CONFIG['weburl']}">Collectd Graph Panel</a></h1> 54 <h1><a href="{$html_weburl}">Collectd Graph Panel</a></h1>
54</div> 55</div>
55 56
56<div id="content"> 57<div id="content">
@@ -74,27 +75,29 @@ function html_end() {
74 $version = 'v'.$version[0]; 75 $version = 'v'.$version[0];
75 } 76 }
76 77
78 $html_weburl = htmlentities($CONFIG['weburl']);
79
77 echo <<<EOT 80 echo <<<EOT
78</div> 81</div>
79<div id="footer"> 82<div id="footer">
80<hr><span class="small"><a href="http://pommi.nethuis.nl/category/cgp/" rel="external">Collectd Graph Panel</a> ({$version}) is distributed under the <a href="{$CONFIG['weburl']}doc/LICENSE" rel="licence">GNU General Public License (GPLv3)</a></span> 83<hr><span class="small"><a href="http://pommi.nethuis.nl/category/cgp/" rel="external">Collectd Graph Panel</a> ({$version}) is distributed under the <a href="{$html_weburl}doc/LICENSE" rel="licence">GNU General Public License (GPLv3)</a></span>
81</div> 84</div>
82 85
83EOT; 86EOT;
84 87
85 if ($CONFIG['graph_type'] == 'canvas') { 88 if ($CONFIG['graph_type'] == 'canvas') {
86 echo <<<EOT 89 echo <<<EOT
87<script type="text/javascript" src="{$CONFIG['weburl']}js/CGP.js"></script> 90<script type="text/javascript" src="{$html_weburl}js/CGP.js"></script>
88 91
89EOT; 92EOT;
90 if ($CONFIG['rrd_fetch_method'] == 'async') { 93 if ($CONFIG['rrd_fetch_method'] == 'async') {
91 echo <<<EOT 94 echo <<<EOT
92<script type="text/javascript" src="{$CONFIG['weburl']}js/CGP-async.js"></script> 95<script type="text/javascript" src="{$html_weburl}js/CGP-async.js"></script>
93 96
94EOT; 97EOT;
95 } else { 98 } else {
96 echo <<<EOT 99 echo <<<EOT
97<script type="text/javascript" src="{$CONFIG['weburl']}js/CGP-sync.js"></script> 100<script type="text/javascript" src="{$html_weburl}js/CGP-sync.js"></script>
98 101
99EOT; 102EOT;
100 } 103 }
@@ -109,7 +112,11 @@ EOT;
109function plugin_header($host, $plugin) { 112function plugin_header($host, $plugin) {
110 global $CONFIG; 113 global $CONFIG;
111 114
112 return printf("<h2><a href='%shost.php?h=%s&amp;p=%s'>%s</a></h2>\n", $CONFIG['weburl'], $host, $plugin, $plugin); 115 printf("<h2><a href=\"%shost.php?h=%s&amp;p=%s\">%s</a></h2>\n",
116 htmlentities($CONFIG['weburl']),
117 urlencode($host),
118 urlencode($plugin),
119 htmlentities($plugin));
113} 120}
114 121
115function plugins_list($host, $selected_plugins = array()) { 122function plugins_list($host, $selected_plugins = array()) {
@@ -121,20 +128,21 @@ function plugins_list($host, $selected_plugins = array()) {
121 echo '<h2>Plugins</h2>'; 128 echo '<h2>Plugins</h2>';
122 echo '<ul>'; 129 echo '<ul>';
123 130
124 printf("<li><a %s href='%shost.php?h=%s'>overview</a></li>\n", 131 printf("<li><a %s href=\"%shost.php?h=%s\">overview</a></li>\n",
125 selected_overview($selected_plugins), 132 selected_overview($selected_plugins),
126 $CONFIG['weburl'], 133 htmlentities($CONFIG['weburl']),
127 $host 134 urlencode($host)
128 ); 135 );
129 136
130 # first the ones defined as ordered 137 # first the ones defined as ordered
131 foreach($CONFIG['overview'] as $plugin) { 138 foreach($CONFIG['overview'] as $plugin) {
132 if (in_array($plugin, $plugins)) { 139 if (in_array($plugin, $plugins)) {
133 printf("<li><a %s href='%shost.php?h=%s&amp;p=%s'>%4\$s</a></li>\n", 140 printf("<li><a %s href=\"%shost.php?h=%s&amp;p=%s\">%s</a></li>\n",
134 selected_plugin($plugin, $selected_plugins), 141 selected_plugin($plugin, $selected_plugins),
135 $CONFIG['weburl'], 142 htmlentities($CONFIG['weburl']),
136 $host, 143 urlencode($host),
137 $plugin 144 urlencode($plugin),
145 htmlentities($plugin)
138 ); 146 );
139 } 147 }
140 } 148 }
@@ -142,11 +150,12 @@ function plugins_list($host, $selected_plugins = array()) {
142 # other plugins 150 # other plugins
143 foreach($plugins as $plugin) { 151 foreach($plugins as $plugin) {
144 if (!in_array($plugin, $CONFIG['overview'])) { 152 if (!in_array($plugin, $CONFIG['overview'])) {
145 printf("<li><a %s href='%shost.php?h=%s&amp;p=%s'>%4\$s</a></li>\n", 153 printf("<li><a %s href=\"%shost.php?h=%s&amp;p=%s\">%s</a></li>\n",
146 selected_plugin($plugin, $selected_plugins), 154 selected_plugin($plugin, $selected_plugins),
147 $CONFIG['weburl'], 155 htmlentities($CONFIG['weburl']),
148 $host, 156 urlencode($host),
149 $plugin 157 urlencode($plugin),
158 htmlentities($plugin)
150 ); 159 );
151 } 160 }
152 } 161 }
@@ -181,8 +190,8 @@ function host_summary($cat, $hosts) {
181 190
182 $rrd = new RRDTool($CONFIG['rrdtool']); 191 $rrd = new RRDTool($CONFIG['rrdtool']);
183 192
184 printf('<fieldset id="%s">', $cat); 193 printf('<fieldset id="%s">', htmlentities($cat));
185 printf('<legend>%s</legend>', $cat); 194 printf('<legend>%s</legend>', htmlentities($cat));
186 echo "<table class=\"summary\">\n"; 195 echo "<table class=\"summary\">\n";
187 196
188 $row_style = array(0 => "even", 1 => "odd"); 197 $row_style = array(0 => "even", 1 => "odd");
@@ -193,7 +202,9 @@ function host_summary($cat, $hosts) {
193 202
194 printf('<tr class="%s">', $row_style[$host_counter % 2]); 203 printf('<tr class="%s">', $row_style[$host_counter % 2]);
195 printf('<th><a href="%shost.php?h=%s">%s</a></th>', 204 printf('<th><a href="%shost.php?h=%s">%s</a></th>',
196 $CONFIG['weburl'],$host, $host); 205 htmlentities($CONFIG['weburl']),
206 urlencode($host),
207 htmlentities($host));
197 208
198 if ($CONFIG['showload']) { 209 if ($CONFIG['showload']) {
199 require_once 'type/Default.class.php'; 210 require_once 'type/Default.class.php';
@@ -308,11 +319,10 @@ function graphs_from_plugin($host, $plugin, $overview=false) {
308 $_GET['s'] = $time; 319 $_GET['s'] = $time;
309 include $CONFIG['webdir'].'/graph.php'; 320 include $CONFIG['webdir'].'/graph.php';
310 } else { 321 } else {
311 printf('<a href="%s%s"><img src="%s%s"></a>'."\n", 322 printf('<a href="%1$s%2$s"><img src="%1$s%3$s"></a>'."\n",
312 $CONFIG['weburl'], 323 htmlentities($CONFIG['weburl']),
313 build_url('detail.php', $items, $time), 324 htmlentities(build_url('detail.php', $items, $time)),
314 $CONFIG['weburl'], 325 htmlentities(build_url('graph.php', $items, $time))
315 build_url('graph.php', $items, $time)
316 ); 326 );
317 } 327 }
318 } 328 }
@@ -328,17 +338,11 @@ function build_url($base, $items, $s=NULL) {
328 if (!is_numeric($s)) 338 if (!is_numeric($s))
329 $s = $CONFIG['time_range']['default']; 339 $s = $CONFIG['time_range']['default'];
330 340
331 $i=0; 341 // Remove all empty values
332 foreach ($items as $key => $value) { 342 $items = array_filter($items, 'strlen');
333 # don't include empty values
334 if ($value == 'NULL')
335 continue;
336 343
337 $base .= sprintf('%s%s=%s', $i==0 ? '?' : '&amp;', $key, $value);
338 $i++;
339 }
340 if (!isset($items['s'])) 344 if (!isset($items['s']))
341 $base .= '&amp;s='.$s; 345 $items['s'] = $s;
342 346
343 return $base; 347 return "$base?" . http_build_query($items, '', '&');
344} 348}