Reviewed-by: Bernhard Bitsch <[email protected]>
Am 25.09.2025 um 13:12 schrieb Adolf Belka:
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <[email protected]>
---
html/cgi-bin/fwhosts.cgi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 953f81e5f..a666969b0 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -2,7 +2,7 @@
###############################################################################
#
#
# IPFire.org - A linux based firewall
#
-# Copyright (C) 2013 Alexander Marx <[email protected]> #
+# Copyright (C) 2013-2025 IPFire Team <[email protected]> #
#
#
# This program is free software: you can redistribute it and/or modify
#
# it under the terms of the GNU General Public License as published by
#
@@ -714,7 +714,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
}
if ($fwhostsettings{'update'} eq 'on'){
- @target=$fwhostsettings{'COUNTRY_CODE'};
+ @target=&Header::escape($fwhostsettings{'COUNTRY_CODE'});
$type='Location Group';
#check if host/net exists in grp
@@ -796,7 +796,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
$customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
$customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
- $customservice{$key}[2] = $fwhostsettings{'PROT'};
+ $customservice{$key}[2] =
&Header::escape($fwhostsettings{'PROT'});
$customservice{$key}[3] = $ICMP;
&General::writehasharray("$configsrv", \%customservice );
#reset fields
