monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451
This commit is contained in:
parent
bb75dad091
commit
254b7286b4
|
@ -331,6 +331,20 @@ private $control_fields = array(
|
|||
return $this->defaults{$field};
|
||||
} // end function Height
|
||||
|
||||
public function SignalCheckColour($new=null) {
|
||||
$field = 'SignalCheckColour';
|
||||
if ($new) {
|
||||
$this->{$field} = $new;
|
||||
}
|
||||
|
||||
// Validate that it's a valid colour (we seem to allow color names, not just hex).
|
||||
// This also helps prevent XSS.
|
||||
if (array_key_exists($field, $this) && preg_match('/^[#0-9a-zA-Z]+$/', $this->{$field})) {
|
||||
return $this->{$field};
|
||||
}
|
||||
return $this->defaults{$field};
|
||||
} // end function SignalCheckColour
|
||||
|
||||
public function set($data) {
|
||||
foreach ($data as $k => $v) {
|
||||
if ( method_exists($this, $k) ) {
|
||||
|
|
|
@ -1021,7 +1021,7 @@ if ( $monitor->Type() == 'Local' ) {
|
|||
<td><?php echo translate('SignalCheckColour') ?></td>
|
||||
<td>
|
||||
<input type="text" name="newMonitor[SignalCheckColour]" value="<?php echo validHtmlStr($monitor->SignalCheckColour()) ?>" size="10" onchange="$('SignalCheckSwatch').setStyle('backgroundColor', this.value)"/>
|
||||
<span id="SignalCheckSwatch" class="swatch" style="background-color: <?php echo $monitor->SignalCheckColour()?>;"> </span>
|
||||
<span id="SignalCheckSwatch" class="swatch" style="background-color: <?php echo validHtmlStr($monitor->SignalCheckColour()); ?>;"> </span>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
Loading…
Reference in New Issue