From 371e30a14aa51da456605ec4f5a5d37b5a3bd8e8 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss
Date: Tue, 24 Jun 2014 20:23:47 +0200
Subject: Escape HTML in GET-provided hostname

A malicious user can enter javascript code in "h" GET parameter and this
code gets executed because this parameter is copied in the HTML output
without any escaping.  This patch escape the output before it is checked
it is valid.
---
 detail.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'detail.php')

diff --git a/detail.php b/detail.php
index 0fedb69..4fb43b0 100644
--- a/detail.php
+++ b/detail.php
@@ -27,8 +27,8 @@ $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin);
 
 html_start();
 
-printf('<fieldset id="%s">', $host);
-printf('<legend>%s</legend>', $host);
+printf('<fieldset id="%s">', htmlentities($host));
+printf('<legend>%s</legend>', htmlentities($host));
 
 if (!$plugins = collectd_plugins($host)) {
 	echo "Unknown host\n";
-- 
cgit v1.1