jostreff/nsedit
1
0
Fork 0
mirror of https://github.com/tuxis-ie/nsedit.git synced 2025-04-20 20:13:40 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix escaping. Jtable shows (javascript-escaped) content. No other escaping is done on the content-field

Browse source 
For txt-records. First strip quotes surrounding the content and strip from slashes. Then, add slashes and quotes again. This maybe sub-optimal, but works for now.
This commit is contained in:
Mark Schouten 2014-05-26 13:45:03 +02:00
parent 2a6fd69192
commit 2eed9b39c0
2 changed files with 27 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
index.php
View file

@ -124,6 +124,22 @@ if (isset($templatelist)) {
<? } ?> <? } ?>
</div> </div>
<script type="text/javascript"> <script type="text/javascript">
var entityMap = {
"&": "&amp;",
"<": "&lt;",
">": "&gt;",
'"': '&quot;',
"'": '&#39;',
"/": '&#x2F;'
};
function escapeHtml(string) {
return String(string).replace(/[&<>"'\/]/g, function (s) {
return entityMap[s];
});
};
$(document).ready(function () { $(document).ready(function () {
<? if (is_adminuser()) { ?> <? if (is_adminuser()) { ?>
$('#Users').hide(); $('#Users').hide();
@ -241,7 +257,10 @@ $(document).ready(function () {
title: 'Prio' title: 'Prio'
}, },
content: { content: {
title: 'Content' title: 'Content',
display: function (data) {
return escapeHtml(data.value);
}
}, },
ttl: { ttl: {
title: 'TTL' title: 'TTL'
@ -388,6 +407,9 @@ $(document).ready(function () {
content: { content: {
title: 'Content', title: 'Content',
create: true create: true
display: function (data) {
return escapeHtml(data.value);
}
}, },
ttl: { ttl: {
title: 'TTL', title: 'TTL',

9
zones.php
View file

@ -58,7 +58,9 @@ function _create_record($name, $records, $input, $zoneurl) {
} }
if (preg_match('/^TXT$/', $input['type'])) { if (preg_match('/^TXT$/', $input['type'])) {
$content = addslashes($input['content']); $content = stripslashes($input['content']);
$content = preg_replace('/(^"|"$)/', '', $content);
$content = addslashes($content);
$content = '"'.$content.'"'; $content = '"'.$content.'"';
} }
@ -217,7 +219,6 @@ if ($action == "list" or $action== "listslaves") {
foreach ($rows['records'] as $idx => $record) { foreach ($rows['records'] as $idx => $record) {
$rows['records'][$idx]['id'] = json_encode($record); $rows['records'][$idx]['id'] = json_encode($record);
$rows['records'][$idx]['name'] = htmlspecialchars($record['name']); $rows['records'][$idx]['name'] = htmlspecialchars($record['name']);
$rows['records'][$idx]['content'] = htmlspecialchars($record['content']);
if ($record['type'] == 'SOA') { array_push($soa, $rows['records'][$idx]); } if ($record['type'] == 'SOA') { array_push($soa, $rows['records'][$idx]); }
elseif ($record['type'] == 'NS') { array_push($ns, $rows['records'][$idx]); } elseif ($record['type'] == 'NS') { array_push($ns, $rows['records'][$idx]); }
elseif ($record['type'] == 'MX') { array_push($mx, $rows['records'][$idx]); } elseif ($record['type'] == 'MX') { array_push($mx, $rows['records'][$idx]); }
@ -241,9 +242,7 @@ if ($action == "list" or $action== "listslaves") {
} }
$records =_create_record($name, $records, $_POST, $_GET['zoneurl']); $records =_create_record($name, $records, $_POST, $_GET['zoneurl']);
$ret = $records[sizeof($records)-1]; _jtable_respond($records[sizeof($records)-1], 'single');
$ret['content'] = htmlspecialchars($ret['content']);
_jtable_respond($ret, 'single');
} elseif ($action == "deleterecord") { } elseif ($action == "deleterecord") {
$todel = json_decode($_POST['id'], 1); $todel = json_decode($_POST['id'], 1);
$records = getrecords_by_name_type($_GET['zoneurl'], $todel['name'], $todel['type']); $records = getrecords_by_name_type($_GET['zoneurl'], $todel['name'], $todel['type']);