135/netdisco
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enforce escaping on all template content

Browse Source
This commit is contained in:
Oliver Gorwits
2019-09-23 14:22:00 +01:00
parent 5f378a39ea
commit deb9b62c7f
77 changed files with 392 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
share/views/ajax/device/addresses.tt
View File

@@ -14,7 +14,7 @@
$(document).ready(function() {
var table = $('#da-data-table').dataTable({
"deferRender": true,
"data": [% results %],
"data": [% results | none %],
"columns": [
{
"data": 'alias',
@@ -31,7 +31,7 @@ $(document).ready(function() {
"type": 'portsort',
"render": function(data, type, row, meta) {
return type === 'display' ?
'<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
'<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>' :
he.encode(data || '');
}
}, {
@@ -42,7 +42,7 @@ $(document).ready(function() {
}, {
"data": 'subnet',
"render": function(data, type, row, meta) {
return '<a href="[% search_device %]&q=' + encodeURIComponent(data) + '&ip=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
return '<a href="[% search_device | none %]&q=' + encodeURIComponent(data) + '&ip=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
}
}
],

44
share/views/ajax/device/details.tt
View File

@@ -3,7 +3,7 @@
<tbody>
<tr>
<td>System Name</td>
<td>[% d.name %]</td>
<td>[% d.name | html_entity %]</td>
</tr>
<tr>
<td>Location
@@ -13,13 +13,13 @@
</td>
[% IF user_can_port_control %]
<td class="nd_editable-cell" contenteditable="true"
data-field="location" data-for-device="[% d.ip %]">
data-field="location" data-for-device="[% d.ip | html_entity %]">
[% d.location | html_entity %]
</td>
[% ELSE %]
<td>
<a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
href="[% search_device %]&q=[% d.location | uri %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
href="[% search_device | none %]&q=[% d.location | uri %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
</td>
[% END %]
</tr>
@@ -42,20 +42,20 @@
<td>Vendor / Model</td>
<td>
<a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
href="[% search_device %]&q=[% d.vendor | uri %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
href="[% search_device | none %]&q=[% d.vendor | uri %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
/
<a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
href="[% search_device %]&q=[% d.model | uri %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
href="[% search_device | none %]&q=[% d.model | uri %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
</td>
</tr>
<tr>
<td>OS / Version</td>
<td>
<a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
href="[% search_device %]&q=[% d.os | uri %]&os=[% d.os | uri %]">[% d.os | html_entity %]</a>
href="[% search_device | none %]&q=[% d.os | uri %]&os=[% d.os | uri %]">[% d.os | html_entity %]</a>
/
<a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
href="[% search_device %]&q=[% d.os_ver | uri %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
href="[% search_device | none %]&q=[% d.os_ver | uri %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
</td>
</tr>
<tr>
@@ -70,7 +70,7 @@
[% FOREACH config IN settings._extra_device_details %]
<tr>
<td>
[% config.label %]
[% config.label | html_entity %]
</td>
<td>
[% TRY %]
@@ -104,13 +104,13 @@
<tr>
<td>Layers</td>
<td>
[% d.layers.substr(7,1) ? '<span class="badge badge-success">1</span>' : '<span class="badge">&nbsp;</span>' %]
[% d.layers.substr(6,1) ? '<span class="badge badge-success">2</span>' : '<span class="badge">&nbsp;</span>' %]
[% d.layers.substr(5,1) ? '<span class="badge badge-success">3</span>' : '<span class="badge">&nbsp;</span>' %]
[% d.layers.substr(4,1) ? '<span class="badge badge-success">4</span>' : '<span class="badge">&nbsp;</span>' %]
[% d.layers.substr(3,1) ? '<span class="badge badge-success">5</span>' : '<span class="badge">&nbsp;</span>' %]
[% d.layers.substr(2,1) ? '<span class="badge badge-success">6</span>' : '<span class="badge">&nbsp;</span>' %]
[% d.layers.substr(1,1) ? '<span class="badge badge-success">7</span>' : '<span class="badge">&nbsp;</span>' %]
[% (d.layers.substr(7,1) ? '<span class="badge badge-success">1</span>' : '<span class="badge">&nbsp;</span>') | none %]
[% (d.layers.substr(6,1) ? '<span class="badge badge-success">2</span>' : '<span class="badge">&nbsp;</span>') | none %]
[% (d.layers.substr(5,1) ? '<span class="badge badge-success">3</span>' : '<span class="badge">&nbsp;</span>') | none %]
[% (d.layers.substr(4,1) ? '<span class="badge badge-success">4</span>' : '<span class="badge">&nbsp;</span>') | none %]
[% (d.layers.substr(3,1) ? '<span class="badge badge-success">5</span>' : '<span class="badge">&nbsp;</span>') | none %]
[% (d.layers.substr(2,1) ? '<span class="badge badge-success">6</span>' : '<span class="badge">&nbsp;</span>') | none %]
[% (d.layers.substr(1,1) ? '<span class="badge badge-success">7</span>' : '<span class="badge">&nbsp;</span>') | none %]
</td>
</tr>
<tr>
@@ -139,7 +139,7 @@
[% UNLESS m.module == 1 %]
<br/>
[% END %]
Module [% m.module %]: [% m.status | html_entity %], [% m.poe_capable_ports %] power-capable ports, [% m.poe_powered_ports %] powered ([% m.poe_disabled_ports %] admin disabled, [% m.poe_errored_ports %] errors), [% m.poe_power_committed %]/[% m.power %] watts committed.
Module [% m.module | html_entity %]: [% m.status | html_entity %], [% m.poe_capable_ports | html_entity %] power-capable ports, [% m.poe_powered_ports | html_entity %] powered ([% m.poe_disabled_ports | html_entity %] admin disabled, [% m.poe_errored_ports | html_entity %] errors), [% m.poe_power_committed | html_entity %]/[% m.power | html_entity %] watts committed.
[% END %]
</td>
</tr>
@@ -153,16 +153,16 @@
<td>[% d.vtp_domain | html_entity %]</td>
</tr>
[% IF user_has_role('admin') %]
<tr data-for-device="[% d.ip %]">
<tr data-for-device="[% d.ip | html_entity %]">
<td>Admin Tasks</td>
<td>
<input type="hidden" data-form="discover" value="[% d.ip %]" name="device"/>
<input type="hidden" data-form="discover" value="[% d.ip | html_entity %]" name="device"/>
<button class="btn btn-info btn-small nd_adminbutton" name="discover">Discover</button>
<input type="hidden" data-form="arpnip" value="[% d.ip %]" name="device"/>
<input type="hidden" data-form="arpnip" value="[% d.ip | html_entity %]" name="device"/>
<button class="btn btn-info btn-small nd_adminbutton" name="arpnip">Arpnip</button>
<input type="hidden" data-form="macsuck" value="[% d.ip %]" name="device"/>
<input type="hidden" data-form="macsuck" value="[% d.ip | html_entity %]" name="device"/>
<button class="btn btn-info btn-small nd_adminbutton" name="macsuck">Macsuck</button>
<input type="hidden" data-form="nbtstat" value="[% d.ip %]" name="device"/>
<input type="hidden" data-form="nbtstat" value="[% d.ip | html_entity %]" name="device"/>
<button class="btn btn-info btn-small nd_adminbutton" name="nbtstat">NBTstat</button>
<button class="btn btn-danger btn-small pull-right"
@@ -187,7 +187,7 @@
<input id="nd_devdel-archive" type="checkbox" data-form="delete" name="archive">
<h4 class="nd_unbolden">Archive Nodes</h4>
</label>
<input type="hidden" data-form="delete" value="[% d.ip %]" name="device"/>
<input type="hidden" data-form="delete" value="[% d.ip | html_entity %]" name="device"/>
</div>
<div class="modal-footer">
<button class="btn btn-success" data-dismiss="modal" aria-hidden="true">Cancel</button>

10
share/views/ajax/device/modules.tt
View File

@@ -20,9 +20,9 @@
[%- ELSE -%]
<span><i class="icon-leaf"></i>&nbsp;
[%- END -%]
<a href="[% uri_for('/report/moduleinventory') %]?description=[% nodes.$item.module.description | uri %]">[% nodes.$item.module.description -%]</a>
<a href="[% uri_for('/report/moduleinventory') | none %]?description=[% nodes.$item.module.description | uri %]">[% nodes.$item.module.description -%]</a>
[%- IF nodes.$item.module.name -%]
<a href="[% uri_for('/report/moduleinventory') %]?name=[% nodes.$item.module.name | uri %]">([% nodes.$item.module.name %])</a>
<a href="[% uri_for('/report/moduleinventory') | none %]?name=[% nodes.$item.module.name | uri %]">([% nodes.$item.module.name %])</a>
[%- END -%]
[%- IF nodes.$item.module.fw_ver -%]
fw: [% nodes.$item.module.fw_ver %]
@@ -34,13 +34,13 @@
sw: [% nodes.$item.module.sw_ver %]
[%- END -%]
[%- IF nodes.$item.module.serial -%]
<a href="[% uri_for('/report/moduleinventory') %]?serial=[% nodes.$item.module.serial | uri %]">[serial: [% nodes.$item.module.serial %]]</a>
<a href="[% uri_for('/report/moduleinventory') | none %]?serial=[% nodes.$item.module.serial | uri %]">[serial: [% nodes.$item.module.serial %]]</a>
[%- END -%]
[%- IF nodes.$item.module.type -%]
/ <a href="[% uri_for('/report/moduleinventory') %]?type=[% nodes.$item.module.type | uri %]">[% nodes.$item.module.type %]</a>
/ <a href="[% uri_for('/report/moduleinventory') | none %]?type=[% nodes.$item.module.type | uri %]">[% nodes.$item.module.type %]</a>
[%- END -%]
[%- IF nodes.$item.module.model -%]
/ <a href="[% uri_for('/report/moduleinventory') %]?model=[% nodes.$item.module.model | uri %]">[% nodes.$item.module.model %]</a>
/ <a href="[% uri_for('/report/moduleinventory') | none %]?model=[% nodes.$item.module.model | uri %]">[% nodes.$item.module.model %]</a>
[%- END -%]
[%- IF nodes.$item.module.fru -%]
<b>[FRU]</b>

10
share/views/ajax/device/netmap.tt
View File

@@ -5,7 +5,7 @@
// ************ retrieve network map *************
// ***********************************************
$.getJSON('[% uri_for('/ajax/data/device/netmap') %]?[% my_query %]', function(mapdata) {
$.getJSON('[% uri_for('/ajax/data/device/netmap') | none %]?[% my_query | none %]', function(mapdata) {
jQuery(document).ready(function() {
window.graph = netGobrechtsD3Force('netmap_pane')
@@ -22,7 +22,7 @@ $.getJSON('[% uri_for('/ajax/data/device/netmap') %]?[% my_query %]', function(m
.showLinkDirection(false)
.colorScheme('color10')
//.preventLabelOverlappingOnForceEnd(
// (mapdata['newnodes'] && ('[% params.mapshow %]' == 'neighbors'))
// (mapdata['newnodes'] && ('[% params.mapshow | html_entity %]' == 'neighbors'))
// ? true : false
//)
.nodeEventToStopPinMode('none')
@@ -158,9 +158,9 @@ $.getJSON('[% uri_for('/ajax/data/device/netmap') %]?[% my_query %]', function(m
graph.start(mapdata);
// about a second after render starts, zoom in a bit
if ('[% params.mapshow %]' == 'neighbors') {
if ('[% params.mapshow | html_entity %]' == 'neighbors') {
setTimeout(function() {
//if ('[% params.dynamicsize %]' == 'on') {
//if ('[% params.dynamicsize | html_entity %]' == 'on') {
// graph.zoomToFit();
//} else {
var node = graph.nodeDataById( graph['nd2']['centernode'] );
@@ -215,7 +215,7 @@ function spin(selection, duration) {
function saveMapPositions() {
graph.inspect().main.nodes.each(function(n) { n.fixed = true });
$.post(
'[% uri_for('/ajax/data/device/netmappositions') %]'
'[% uri_for('/ajax/data/device/netmappositions') | none %]'
,$("#nd_vlan-entry, #nd_hgroup-select, #nd_lgroup-select, #nq, input[name='mapshow']").serialize()
+ '&positions=' + JSON.stringify(graph.positions())
);

34
share/views/ajax/device/ports.tt
View File

@@ -11,7 +11,7 @@
[% IF (item.name == 'c_port' OR item.name == 'c_descr' OR item.name == 'c_name') %]
[% th_class = ' class="portsort"' %]
[% END %]
<th[% th_class %]>
<th[% th_class | html_entity %]>
[% IF item.name == 'c_neighbors' %]
[% IF params.c_nodes %]
Connected Nodes &amp; Devices
@@ -84,7 +84,7 @@
<td nowrap data-order="[% row.port | html_entity %]" data-filter="[% row.port | html_entity %]">
[% END %]
<a class="nd_log-icon"
href="[% uri_for('/report/portlog') %]?q=[% device.ip | uri %]&f=[% row.port | uri %]">
href="[% uri_for('/report/portlog') | none %]?q=[% device.ip | uri %]&f=[% row.port | uri %]">
<i class="icon-file-text-alt"
rel="tooltip" data-placement="top" data-offset="3"
data-animation="" data-title="View Port Log"></i>
@@ -110,13 +110,13 @@
</span>
[% END %]
[% END %]
<a class="nd_this-port-only nd_port-only-first" href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.port | uri %]&prefer=port">
<a class="nd_this-port-only nd_port-only-first" href="[% device_ports | none %]&q=[% params.q | uri %]&f=[% row.port | uri %]&prefer=port">
[% IF row.is_master %]
<small><i class="icon-group muted"></i></small>&nbsp;
[% END %]
[% row.port | html_entity %]</a>
[% IF row.slave_of %]<br/>
<a class="nd_this-port-only" href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.slave_of | uri %]&prefer=port">
<a class="nd_this-port-only" href="[% device_ports | none %]&q=[% params.q | uri %]&f=[% row.slave_of | uri %]&prefer=port">
[% row.slave_of | html_entity %]</a>
[% END %]
</td>
@@ -204,7 +204,7 @@
<td>
[% IF row.vlan AND row.vlan > 0 %]
<a class="nd_linkcell"
href="[% uri_for('/search') %]?tab=vlan&q=[% row.vlan | uri %]">
href="[% uri_for('/search') | none %]?tab=vlan&q=[% row.vlan | uri %]">
[% row.vlan | html_entity %]</a>
[% END %]
</td>
@@ -229,7 +229,7 @@
<div class="nd_collapsing nd_collapse-pre-hidden">' _ output %]
[% SET output = output _ '</div>' %]
[% END %]
[% output %]
[% output | none %]
[% ELSE %]
<i class="icon-asterisk text-warning"></i> ([% vlans.$portname.vlan_count %] is too many to list)
[% END %]
@@ -292,16 +292,16 @@
[% ELSIF row.remote_is_wap %]
<i class="icon-rss"></i>&nbsp;
[% END %]
<a href="[% device_ports %]&q=[% row.get_column('neighbor_ip') | uri %]">
<a href="[% device_ports | none %]&q=[% row.get_column('neighbor_ip') | uri %]">
[% row.get_column('neighbor_dns').remove(settings.domain_suffix) || row.get_column('neighbor_ip') | html_entity %]</a>
[% IF row.remote_port and has_snmp(row.remote_type) %]
-
<a href="[% device_ports %]&q=[% row.get_column('neighbor_ip') | uri %]&f=[% row.remote_port | uri %]&prefer=port">
<a href="[% device_ports | none %]&q=[% row.get_column('neighbor_ip') | uri %]&f=[% row.remote_port | uri %]&prefer=port">
[% row.remote_port | html_entity %]</a>
[% END %]
<br/>
[% IF params.n_inventory and row.remote_inventory %]
[% row.remote_inventory %]<br/>
[% row.remote_inventory | html_entity %]<br/>
[% END %]
[% IF params.n_detailed_inventory and (row.remote_id or row.remote_type) %]
([% 'id: '_ row.remote_id IF row.remote_id %]
@@ -314,14 +314,14 @@
[% ELSIF row.remote_is_wap %]
<i class="icon-rss"></i>&nbsp;
[% END %]
<a href="[% search_node %]&q=[% row.remote_ip | uri %]">
<a href="[% search_node | none %]&q=[% row.remote_ip | uri %]">
[% row.remote_ip | html_entity %]
[% IF row.remote_port and has_snmp(row.remote_type) %]
- [% row.remote_port | html_entity %]
[% END %]
</a><br/>
[% IF params.n_inventory and row.remote_inventory %]
[% row.remote_inventory %]<br/>
[% row.remote_inventory | html_entity %]<br/>
[% END %]
[% IF params.n_detailed_inventory and (row.remote_id or row.remote_type) %]
([% 'id: '_ row.remote_id IF row.remote_id %]
@@ -336,7 +336,7 @@
[% '<br/>' IF (row.remote_ip OR row.is_uplink) OR NOT loop.first %]
[% '<i class="icon-book"></i>&nbsp; ' IF NOT node.active %]
[% '<i class="icon-signal"></i>&nbsp;' IF node.wireless.defined %]
<a href="[% search_node %]&q=[% node.net_mac.$mac_format_call | uri %]">
<a href="[% search_node | none %]&q=[% node.net_mac.$mac_format_call | uri %]">
[% node.net_mac.$mac_format_call | html_entity %]</a>
[% IF (node.vlan > 0) && (node.vlan != row.vlan) %]
(on vlan [% node.vlan | html_entity %])
@@ -361,23 +361,23 @@
<br/>&nbsp; [% '<i class="icon-book"></i>&nbsp; ' IF NOT ip.active %]
[% SET dns = ip.dns %]
[% IF dns %]
<a href="[% search_node %]&q=[% ip.ip | uri %]">[% dns %] ([% ip.ip | html_entity %])</a>
<a href="[% search_node | none %]&q=[% ip.ip | uri %]">[% dns | html_entity %] ([% ip.ip | html_entity %])</a>
[% ELSE %]
<a href="[% search_node %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
<a href="[% search_node | none %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
[% END %]
[% END %]
[% END %]
[% IF params.n_netbios %]
[% FOREACH nbt IN node.netbios %]
<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\<a href="[% uri_for('/report/netbios') %]?domain=[% nbt.domain | uri %]" title="Nodes in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\<a href="[% uri_for('/report/netbios') | none %]?domain=[% nbt.domain | uri %]" title="Nodes in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node | none %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node | none %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
[% END %]
[% END %]
[% END %]
[% END %]
[% IF user_can_port_control AND params.c_admin %]
<a class="nd_log-icon"
href="[% uri_for('/admin/topology') %]?dev1=[% device.ip | uri %]&port1=[% row.port | uri %]">
href="[% uri_for('/admin/topology') | none %]?dev1=[% device.ip | uri %]&port1=[% row.port | uri %]">
<i class="icon-link text-warning"
rel="tooltip" data-placement="top" data-offset="3"
data-animation="" data-title="Manual Topology"></i>

6
share/views/ajax/device/vlans.tt
View File

@@ -11,17 +11,17 @@
$(document).ready(function() {
var table = $('#data-table').dataTable({
"deferRender": true,
"data": [% results %],
"data": [% results | none %],
"columns": [
{
"data": 'vlan',
"render": function(data, type, row, meta) {
return '<a href="[% device_ports %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + data + '</a>';
return '<a href="[% device_ports | none %]&q=' + encodeURIComponent(row.ip) + '&f=' + encodeURIComponent(data) + '">' + data + '</a>';
}
}, {
"data": 'description',
"render": function(data, type, row, meta) {
return '<a href="[% uri_for('/search') %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
return '<a href="[% uri_for('/search') | none %]?tab=vlan&q=' + encodeURIComponent(data) + '">' + he.encode(data || '') + '</a>';
}
}
],