Enforce escaping on all template content

2019-09-23 14:22:00 +01:00
parent 5f378a39ea
commit deb9b62c7f
77 changed files with 392 additions and 387 deletions
--- a/share/views/ajax/device/details.tt
+++ b/share/views/ajax/device/details.tt
@@ -3,7 +3,7 @@
  <tbody>
    <tr>
      <td>System Name</td>
-      <td>[% d.name %]</td>
+      <td>[% d.name | html_entity %]</td>
    </tr>
    <tr>
      <td>Location
@@ -13,13 +13,13 @@
      </td>
      [% IF user_can_port_control %]
      <td class="nd_editable-cell" contenteditable="true"
-        data-field="location" data-for-device="[% d.ip %]">
+        data-field="location" data-for-device="[% d.ip | html_entity %]">
          [% d.location | html_entity %]
      </td>
      [% ELSE %]
      <td>
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.location | uri %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.location | uri %]&location=[% d.location | uri %]">[% d.location | html_entity %]</a>
      </td>
      [% END %]
    </tr>
@@ -42,20 +42,20 @@
      <td>Vendor / Model</td>
      <td>
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.vendor | uri %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.vendor | uri %]&vendor=[% d.vendor | uri %]">[% d.vendor | html_entity %]</a>
        /
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.model | uri %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.model | uri %]&model=[% d.model | uri %]">[% d.model | html_entity %]</a>
      </td>
    </tr>
    <tr>
      <td>OS / Version</td>
      <td>
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.os | uri %]&os=[% d.os | uri %]">[% d.os | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.os | uri %]&os=[% d.os | uri %]">[% d.os | html_entity %]</a>
        /
        <a rel="tooltip" data-placement="top" data-offset="5" data-title="Find Similar Devices"
-        href="[% search_device %]&q=[% d.os_ver | uri %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
+        href="[% search_device | none %]&q=[% d.os_ver | uri %]&os_ver=[% d.os_ver | uri %]">[% d.os_ver | html_entity %]</a>
      </td>
    </tr>
    <tr>
@@ -70,7 +70,7 @@
    [% FOREACH config IN settings._extra_device_details %]
    <tr>
      <td>
-          [% config.label %]
+          [% config.label | html_entity %]
      </td>
      <td>
          [% TRY %]
@@ -104,13 +104,13 @@
    <tr>
      <td>Layers</td>
      <td>
-        [% d.layers.substr(7,1) ? '<span class="badge badge-success">1</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(6,1) ? '<span class="badge badge-success">2</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(5,1) ? '<span class="badge badge-success">3</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(4,1) ? '<span class="badge badge-success">4</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(3,1) ? '<span class="badge badge-success">5</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(2,1) ? '<span class="badge badge-success">6</span>' : '<span class="badge">&nbsp;</span>' %]
-        [% d.layers.substr(1,1) ? '<span class="badge badge-success">7</span>' : '<span class="badge">&nbsp;</span>' %]
+        [% (d.layers.substr(7,1) ? '<span class="badge badge-success">1</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(6,1) ? '<span class="badge badge-success">2</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(5,1) ? '<span class="badge badge-success">3</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(4,1) ? '<span class="badge badge-success">4</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(3,1) ? '<span class="badge badge-success">5</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(2,1) ? '<span class="badge badge-success">6</span>' : '<span class="badge">&nbsp;</span>') | none %]
+        [% (d.layers.substr(1,1) ? '<span class="badge badge-success">7</span>' : '<span class="badge">&nbsp;</span>') | none %]
      </td>
    </tr>
    <tr>
@@ -139,7 +139,7 @@
        [% UNLESS m.module == 1 %]
          <br/>
        [% END %]
-        Module [% m.module %]: [% m.status | html_entity %], [% m.poe_capable_ports %] power-capable ports, [% m.poe_powered_ports %] powered ([% m.poe_disabled_ports %] admin disabled, [% m.poe_errored_ports %] errors), [% m.poe_power_committed %]/[% m.power %] watts committed.
+        Module [% m.module | html_entity %]: [% m.status | html_entity %], [% m.poe_capable_ports | html_entity %] power-capable ports, [% m.poe_powered_ports | html_entity %] powered ([% m.poe_disabled_ports | html_entity %] admin disabled, [% m.poe_errored_ports | html_entity %] errors), [% m.poe_power_committed | html_entity %]/[% m.power | html_entity %] watts committed.
      [% END %]
      </td>
    </tr>
@@ -153,16 +153,16 @@
      <td>[% d.vtp_domain | html_entity %]</td>
    </tr>
    [% IF user_has_role('admin') %]
-    <tr data-for-device="[% d.ip %]">
+    <tr data-for-device="[% d.ip | html_entity %]">
      <td>Admin Tasks</td>
      <td>
-        <input type="hidden" data-form="discover" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="discover" value="[% d.ip | html_entity %]" name="device"/>
        <button class="btn btn-info btn-small nd_adminbutton" name="discover">Discover</button>
-        <input type="hidden" data-form="arpnip" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="arpnip" value="[% d.ip | html_entity %]" name="device"/>
        <button class="btn btn-info btn-small nd_adminbutton" name="arpnip">Arpnip</button>
-        <input type="hidden" data-form="macsuck" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="macsuck" value="[% d.ip | html_entity %]" name="device"/>
        <button class="btn btn-info btn-small nd_adminbutton" name="macsuck">Macsuck</button>
-        <input type="hidden" data-form="nbtstat" value="[% d.ip %]" name="device"/>
+        <input type="hidden" data-form="nbtstat" value="[% d.ip | html_entity %]" name="device"/>
        <button class="btn btn-info btn-small nd_adminbutton" name="nbtstat">NBTstat</button>

        <button class="btn btn-danger btn-small pull-right"
@@ -187,7 +187,7 @@
              <input id="nd_devdel-archive" type="checkbox" data-form="delete" name="archive">
              <h4 class="nd_unbolden">Archive Nodes</h4>
            </label>
-            <input type="hidden" data-form="delete" value="[% d.ip %]" name="device"/>
+            <input type="hidden" data-form="delete" value="[% d.ip | html_entity %]" name="device"/>
          </div>
          <div class="modal-footer">
            <button class="btn btn-success" data-dismiss="modal" aria-hidden="true">Cancel</button>