From 8c5687ca308e441742725e0aff9075779fa1a498 Mon Sep 17 00:00:00 2001
From: Matt N <github@matthew.noorenberghe.com>
Date: Fri, 25 Jan 2019 05:35:07 -0800
Subject: [PATCH] Fix name/protocol XSS in controlcaps.php. Fixes #2445 (#2479)

---
 web/includes/functions.php              | 3 +++
 web/skins/classic/views/controlcaps.php | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/web/includes/functions.php b/web/includes/functions.php
index 05761ddeb..a9cf815b4 100644
--- a/web/includes/functions.php
+++ b/web/includes/functions.php
@@ -450,6 +450,9 @@ function makeLink( $url, $label, $condition=1, $options='' ) {
   return( $string );
 }
 
+/**
+ * $label must be already escaped. It can't be done here since it sometimes contains HTML tags.
+ */
 function makePopupLink( $url, $winName, $winSize, $label, $condition=1, $options='' ) {
   // Avoid double-encoding since some consumers incorrectly pass a pre-escaped URL.
   $string = '<a class="popup-link" href="' . htmlspecialchars($url, ENT_COMPAT | ENT_HTML401, ini_get("default_charset"), false) . '"';
diff --git a/web/skins/classic/views/controlcaps.php b/web/skins/classic/views/controlcaps.php
index b5d3a587c..6ba3065dc 100644
--- a/web/skins/classic/views/controlcaps.php
+++ b/web/skins/classic/views/controlcaps.php
@@ -63,9 +63,9 @@ foreach( $controls as $control )
 {
 ?>
             <tr>
-              <td class="colName"><?php echo makePopupLink( '?view=controlcap&cid='.$control['Id'], 'zmControlCap', 'controlcap', $control['Name'], canView( 'Control' ) ) ?></td>
+              <td class="colName"><?php echo makePopupLink( '?view=controlcap&cid='.$control['Id'], 'zmControlCap', 'controlcap', validHtmlStr($control['Name']), canView( 'Control' ) ) ?></td>
               <td class="colType"><?php echo $control['Type'] ?></td>
-              <td class="colProtocol"><?php echo $control['Protocol'] ?></td>
+              <td class="colProtocol"><?php echo validHtmlStr($control['Protocol']) ?></td>
               <td class="colCanMove"><?php echo $control['CanMove']?translate('Yes'):translate('No') ?></td>
               <td class="colCanZoom"><?php echo $control['CanZoom']?translate('Yes'):translate('No') ?></td>
               <td class="colCanFocus"><?php echo $control['CanFocus']?translate('Yes'):translate('No') ?></td>