From 371e30a14aa51da456605ec4f5a5d37b5a3bd8e8 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss
Date: Tue, 24 Jun 2014 20:23:47 +0200
Subject: Escape HTML in GET-provided hostname

A malicious user can enter javascript code in "h" GET parameter and this
code gets executed because this parameter is copied in the HTML output
without any escaping.  This patch escape the output before it is checked
it is valid.
---
 host.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'host.php')

diff --git a/host.php b/host.php
index b398630..97f4dae 100644
--- a/host.php
+++ b/host.php
@@ -11,8 +11,8 @@ $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin);
 
 html_start();
 
-printf("<fieldset id=\"%s\">", $host);
-printf("<legend>%s</legend>", $host);
+printf("<fieldset id=\"%s\">", htmlentities($host));
+printf("<legend>%s</legend>", htmlentities($host));
 
 
 if (!$plugins = collectd_plugins($host)) {
-- 
cgit v1.1