monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451

This commit is contained in:
Matthew Noorenberghe 2019-02-09 16:41:54 -08:00
parent bb75dad091
commit 254b7286b4
2 changed files with 15 additions and 1 deletions

View File

@ -331,6 +331,20 @@ private $control_fields = array(
return $this->defaults{$field};
} // end function Height
public function SignalCheckColour($new=null) {
$field = 'SignalCheckColour';
if ($new) {
$this->{$field} = $new;
}
// Validate that it's a valid colour (we seem to allow color names, not just hex).
// This also helps prevent XSS.
if (array_key_exists($field, $this) && preg_match('/^[#0-9a-zA-Z]+$/', $this->{$field})) {
return $this->{$field};
}
return $this->defaults{$field};
} // end function SignalCheckColour
public function set($data) {
foreach ($data as $k => $v) {
if ( method_exists($this, $k) ) {

View File

@ -1021,7 +1021,7 @@ if ( $monitor->Type() == 'Local' ) {
<td><?php echo translate('SignalCheckColour') ?></td>
<td>
<input type="text" name="newMonitor[SignalCheckColour]" value="<?php echo validHtmlStr($monitor->SignalCheckColour()) ?>" size="10" onchange="$('SignalCheckSwatch').setStyle('backgroundColor', this.value)"/>
<span id="SignalCheckSwatch" class="swatch" style="background-color: <?php echo $monitor->SignalCheckColour()?>;">&nbsp;&nbsp;&nbsp;&nbsp;</span>
<span id="SignalCheckSwatch" class="swatch" style="background-color: <?php echo validHtmlStr($monitor->SignalCheckColour()); ?>;">&nbsp;&nbsp;&nbsp;&nbsp;</span>
</td>
</tr>
<tr>