diff options
author | Peter Wu | 2014-07-20 23:23:17 +0200 |
---|---|---|
committer | Peter Wu | 2014-07-20 23:23:17 +0200 |
commit | c7283e1cae6bbdc13464a77ae7f22bd9489fe089 (patch) | |
tree | ffc767ddc0392b286d5cec0f053cf09796333077 /inc/html.inc.php | |
parent | graph: don't overwrite config rrdtool_opts by rrdtool_opts from json plugin (diff) | |
download | apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.zip apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.gz apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.bz2 apt-panopticon_cgp-c7283e1cae6bbdc13464a77ae7f22bd9489fe089.tar.xz |
Defensive programming: more urlencode/htmlentities
Make build_url return an URL, not HTML. This separates presentation
from data.
plugin_header's return value is unused, remove the unnecessary return.
At places where `printf("<tag att='%s'>", $x);` is used, it is now
converted to `printf("<tag att=\"%s\">", htmlentities($x));` since
the single quote is not escaped by default by htmlentities.
In case the canvas style is used, JS should use `textContent` instead
of `innerHTML` to avoid reading `"` instead of `"`. Nobody (should)
use(s) IE6 anymore, so it is a safe change.
While at it, use the standard charset attribute of meta to specify
the character set (UTF-8).
Diffstat (limited to 'inc/html.inc.php')
-rw-r--r-- | inc/html.inc.php | 98 |
1 files changed, 51 insertions, 47 deletions
diff --git a/inc/html.inc.php b/inc/html.inc.php index 69609d8..b8d2f82 100644 --- a/inc/html.inc.php +++ b/inc/html.inc.php | |||
@@ -11,14 +11,15 @@ function html_start() { | |||
11 | global $CONFIG; | 11 | global $CONFIG; |
12 | 12 | ||
13 | $path = htmlentities(breadcrumbs()); | 13 | $path = htmlentities(breadcrumbs()); |
14 | $html_weburl = htmlentities($CONFIG['weburl']); | ||
14 | 15 | ||
15 | echo <<<EOT | 16 | echo <<<EOT |
16 | <!DOCTYPE html> | 17 | <!DOCTYPE html> |
17 | <html> | 18 | <html> |
18 | <head> | 19 | <head> |
19 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> | 20 | <meta charset="utf-8"> |
20 | <title>CGP{$path}</title> | 21 | <title>CGP{$path}</title> |
21 | <link rel="stylesheet" href="{$CONFIG['weburl']}layout/style.css" type="text/css"> | 22 | <link rel="stylesheet" href="{$html_weburl}layout/style.css" type="text/css"> |
22 | <meta name="viewport" content="width=1050, initial-scale=1.0, maximum-scale=1.0, user-scalable=yes"> | 23 | <meta name="viewport" content="width=1050, initial-scale=1.0, maximum-scale=1.0, user-scalable=yes"> |
23 | 24 | ||
24 | EOT; | 25 | EOT; |
@@ -31,16 +32,16 @@ EOT; | |||
31 | 32 | ||
32 | if ($CONFIG['graph_type'] == 'canvas') { | 33 | if ($CONFIG['graph_type'] == 'canvas') { |
33 | echo <<<EOT | 34 | echo <<<EOT |
34 | <script type="text/javascript" src="{$CONFIG['weburl']}js/sprintf.js"></script> | 35 | <script type="text/javascript" src="{$html_weburl}js/sprintf.js"></script> |
35 | <script type="text/javascript" src="{$CONFIG['weburl']}js/strftime.js"></script> | 36 | <script type="text/javascript" src="{$html_weburl}js/strftime.js"></script> |
36 | <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdRpn.js"></script> | 37 | <script type="text/javascript" src="{$html_weburl}js/RrdRpn.js"></script> |
37 | <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdTime.js"></script> | 38 | <script type="text/javascript" src="{$html_weburl}js/RrdTime.js"></script> |
38 | <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdGraph.js"></script> | 39 | <script type="text/javascript" src="{$html_weburl}js/RrdGraph.js"></script> |
39 | <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdGfxCanvas.js"></script> | 40 | <script type="text/javascript" src="{$html_weburl}js/RrdGfxCanvas.js"></script> |
40 | <script type="text/javascript" src="{$CONFIG['weburl']}js/binaryXHR.js"></script> | 41 | <script type="text/javascript" src="{$html_weburl}js/binaryXHR.js"></script> |
41 | <script type="text/javascript" src="{$CONFIG['weburl']}js/rrdFile.js"></script> | 42 | <script type="text/javascript" src="{$html_weburl}js/rrdFile.js"></script> |
42 | <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdDataFile.js"></script> | 43 | <script type="text/javascript" src="{$html_weburl}js/RrdDataFile.js"></script> |
43 | <script type="text/javascript" src="{$CONFIG['weburl']}js/RrdCmdLine.js"></script> | 44 | <script type="text/javascript" src="{$html_weburl}js/RrdCmdLine.js"></script> |
44 | 45 | ||
45 | EOT; | 46 | EOT; |
46 | } | 47 | } |
@@ -50,7 +51,7 @@ echo <<<EOT | |||
50 | <body> | 51 | <body> |
51 | 52 | ||
52 | <div id="header"> | 53 | <div id="header"> |
53 | <h1><a href="{$CONFIG['weburl']}">Collectd Graph Panel</a></h1> | 54 | <h1><a href="{$html_weburl}">Collectd Graph Panel</a></h1> |
54 | </div> | 55 | </div> |
55 | 56 | ||
56 | <div id="content"> | 57 | <div id="content"> |
@@ -74,27 +75,29 @@ function html_end() { | |||
74 | $version = 'v'.$version[0]; | 75 | $version = 'v'.$version[0]; |
75 | } | 76 | } |
76 | 77 | ||
78 | $html_weburl = htmlentities($CONFIG['weburl']); | ||
79 | |||
77 | echo <<<EOT | 80 | echo <<<EOT |
78 | </div> | 81 | </div> |
79 | <div id="footer"> | 82 | <div id="footer"> |
80 | <hr><span class="small"><a href="http://pommi.nethuis.nl/category/cgp/" rel="external">Collectd Graph Panel</a> ({$version}) is distributed under the <a href="{$CONFIG['weburl']}doc/LICENSE" rel="licence">GNU General Public License (GPLv3)</a></span> | 83 | <hr><span class="small"><a href="http://pommi.nethuis.nl/category/cgp/" rel="external">Collectd Graph Panel</a> ({$version}) is distributed under the <a href="{$html_weburl}doc/LICENSE" rel="licence">GNU General Public License (GPLv3)</a></span> |
81 | </div> | 84 | </div> |
82 | 85 | ||
83 | EOT; | 86 | EOT; |
84 | 87 | ||
85 | if ($CONFIG['graph_type'] == 'canvas') { | 88 | if ($CONFIG['graph_type'] == 'canvas') { |
86 | echo <<<EOT | 89 | echo <<<EOT |
87 | <script type="text/javascript" src="{$CONFIG['weburl']}js/CGP.js"></script> | 90 | <script type="text/javascript" src="{$html_weburl}js/CGP.js"></script> |
88 | 91 | ||
89 | EOT; | 92 | EOT; |
90 | if ($CONFIG['rrd_fetch_method'] == 'async') { | 93 | if ($CONFIG['rrd_fetch_method'] == 'async') { |
91 | echo <<<EOT | 94 | echo <<<EOT |
92 | <script type="text/javascript" src="{$CONFIG['weburl']}js/CGP-async.js"></script> | 95 | <script type="text/javascript" src="{$html_weburl}js/CGP-async.js"></script> |
93 | 96 | ||
94 | EOT; | 97 | EOT; |
95 | } else { | 98 | } else { |
96 | echo <<<EOT | 99 | echo <<<EOT |
97 | <script type="text/javascript" src="{$CONFIG['weburl']}js/CGP-sync.js"></script> | 100 | <script type="text/javascript" src="{$html_weburl}js/CGP-sync.js"></script> |
98 | 101 | ||
99 | EOT; | 102 | EOT; |
100 | } | 103 | } |
@@ -109,7 +112,11 @@ EOT; | |||
109 | function plugin_header($host, $plugin) { | 112 | function plugin_header($host, $plugin) { |
110 | global $CONFIG; | 113 | global $CONFIG; |
111 | 114 | ||
112 | return printf("<h2><a href='%shost.php?h=%s&p=%s'>%s</a></h2>\n", $CONFIG['weburl'], $host, $plugin, $plugin); | 115 | printf("<h2><a href=\"%shost.php?h=%s&p=%s\">%s</a></h2>\n", |
116 | htmlentities($CONFIG['weburl']), | ||
117 | urlencode($host), | ||
118 | urlencode($plugin), | ||
119 | htmlentities($plugin)); | ||
113 | } | 120 | } |
114 | 121 | ||
115 | function plugins_list($host, $selected_plugins = array()) { | 122 | function plugins_list($host, $selected_plugins = array()) { |
@@ -121,20 +128,21 @@ function plugins_list($host, $selected_plugins = array()) { | |||
121 | echo '<h2>Plugins</h2>'; | 128 | echo '<h2>Plugins</h2>'; |
122 | echo '<ul>'; | 129 | echo '<ul>'; |
123 | 130 | ||
124 | printf("<li><a %s href='%shost.php?h=%s'>overview</a></li>\n", | 131 | printf("<li><a %s href=\"%shost.php?h=%s\">overview</a></li>\n", |
125 | selected_overview($selected_plugins), | 132 | selected_overview($selected_plugins), |
126 | $CONFIG['weburl'], | 133 | htmlentities($CONFIG['weburl']), |
127 | $host | 134 | urlencode($host) |
128 | ); | 135 | ); |
129 | 136 | ||
130 | # first the ones defined as ordered | 137 | # first the ones defined as ordered |
131 | foreach($CONFIG['overview'] as $plugin) { | 138 | foreach($CONFIG['overview'] as $plugin) { |
132 | if (in_array($plugin, $plugins)) { | 139 | if (in_array($plugin, $plugins)) { |
133 | printf("<li><a %s href='%shost.php?h=%s&p=%s'>%4\$s</a></li>\n", | 140 | printf("<li><a %s href=\"%shost.php?h=%s&p=%s\">%s</a></li>\n", |
134 | selected_plugin($plugin, $selected_plugins), | 141 | selected_plugin($plugin, $selected_plugins), |
135 | $CONFIG['weburl'], | 142 | htmlentities($CONFIG['weburl']), |
136 | $host, | 143 | urlencode($host), |
137 | $plugin | 144 | urlencode($plugin), |
145 | htmlentities($plugin) | ||
138 | ); | 146 | ); |
139 | } | 147 | } |
140 | } | 148 | } |
@@ -142,11 +150,12 @@ function plugins_list($host, $selected_plugins = array()) { | |||
142 | # other plugins | 150 | # other plugins |
143 | foreach($plugins as $plugin) { | 151 | foreach($plugins as $plugin) { |
144 | if (!in_array($plugin, $CONFIG['overview'])) { | 152 | if (!in_array($plugin, $CONFIG['overview'])) { |
145 | printf("<li><a %s href='%shost.php?h=%s&p=%s'>%4\$s</a></li>\n", | 153 | printf("<li><a %s href=\"%shost.php?h=%s&p=%s\">%s</a></li>\n", |
146 | selected_plugin($plugin, $selected_plugins), | 154 | selected_plugin($plugin, $selected_plugins), |
147 | $CONFIG['weburl'], | 155 | htmlentities($CONFIG['weburl']), |
148 | $host, | 156 | urlencode($host), |
149 | $plugin | 157 | urlencode($plugin), |
158 | htmlentities($plugin) | ||
150 | ); | 159 | ); |
151 | } | 160 | } |
152 | } | 161 | } |
@@ -181,8 +190,8 @@ function host_summary($cat, $hosts) { | |||
181 | 190 | ||
182 | $rrd = new RRDTool($CONFIG['rrdtool']); | 191 | $rrd = new RRDTool($CONFIG['rrdtool']); |
183 | 192 | ||
184 | printf('<fieldset id="%s">', $cat); | 193 | printf('<fieldset id="%s">', htmlentities($cat)); |
185 | printf('<legend>%s</legend>', $cat); | 194 | printf('<legend>%s</legend>', htmlentities($cat)); |
186 | echo "<table class=\"summary\">\n"; | 195 | echo "<table class=\"summary\">\n"; |
187 | 196 | ||
188 | $row_style = array(0 => "even", 1 => "odd"); | 197 | $row_style = array(0 => "even", 1 => "odd"); |
@@ -193,7 +202,9 @@ function host_summary($cat, $hosts) { | |||
193 | 202 | ||
194 | printf('<tr class="%s">', $row_style[$host_counter % 2]); | 203 | printf('<tr class="%s">', $row_style[$host_counter % 2]); |
195 | printf('<th><a href="%shost.php?h=%s">%s</a></th>', | 204 | printf('<th><a href="%shost.php?h=%s">%s</a></th>', |
196 | $CONFIG['weburl'],$host, $host); | 205 | htmlentities($CONFIG['weburl']), |
206 | urlencode($host), | ||
207 | htmlentities($host)); | ||
197 | 208 | ||
198 | if ($CONFIG['showload']) { | 209 | if ($CONFIG['showload']) { |
199 | require_once 'type/Default.class.php'; | 210 | require_once 'type/Default.class.php'; |
@@ -308,11 +319,10 @@ function graphs_from_plugin($host, $plugin, $overview=false) { | |||
308 | $_GET['s'] = $time; | 319 | $_GET['s'] = $time; |
309 | include $CONFIG['webdir'].'/graph.php'; | 320 | include $CONFIG['webdir'].'/graph.php'; |
310 | } else { | 321 | } else { |
311 | printf('<a href="%s%s"><img src="%s%s"></a>'."\n", | 322 | printf('<a href="%1$s%2$s"><img src="%1$s%3$s"></a>'."\n", |
312 | $CONFIG['weburl'], | 323 | htmlentities($CONFIG['weburl']), |
313 | build_url('detail.php', $items, $time), | 324 | htmlentities(build_url('detail.php', $items, $time)), |
314 | $CONFIG['weburl'], | 325 | htmlentities(build_url('graph.php', $items, $time)) |
315 | build_url('graph.php', $items, $time) | ||
316 | ); | 326 | ); |
317 | } | 327 | } |
318 | } | 328 | } |
@@ -328,17 +338,11 @@ function build_url($base, $items, $s=NULL) { | |||
328 | if (!is_numeric($s)) | 338 | if (!is_numeric($s)) |
329 | $s = $CONFIG['time_range']['default']; | 339 | $s = $CONFIG['time_range']['default']; |
330 | 340 | ||
331 | $i=0; | 341 | // Remove all empty values |
332 | foreach ($items as $key => $value) { | 342 | $items = array_filter($items, 'strlen'); |
333 | # don't include empty values | ||
334 | if ($value == 'NULL') | ||
335 | continue; | ||
336 | 343 | ||
337 | $base .= sprintf('%s%s=%s', $i==0 ? '?' : '&', $key, $value); | ||
338 | $i++; | ||
339 | } | ||
340 | if (!isset($items['s'])) | 344 | if (!isset($items['s'])) |
341 | $base .= '&s='.$s; | 345 | $items['s'] = $s; |
342 | 346 | ||
343 | return $base; | 347 | return "$base?" . http_build_query($items, '', '&'); |
344 | } | 348 | } |