Enforce escaping on all template content

2019-09-23 14:22:00 +01:00
parent 5f378a39ea
commit deb9b62c7f
77 changed files with 392 additions and 387 deletions
--- a/share/views/ajax/device/ports.tt
+++ b/share/views/ajax/device/ports.tt
@@ -11,7 +11,7 @@
        [% IF (item.name == 'c_port' OR item.name == 'c_descr' OR item.name == 'c_name') %]
          [% th_class = ' class="portsort"' %]
        [% END %]
-        <th[% th_class %]>
+        <th[% th_class | html_entity %]>
          [% IF item.name == 'c_neighbors' %]
          [% IF params.c_nodes %]
          Connected Nodes &amp; Devices
@@ -84,7 +84,7 @@
      <td nowrap data-order="[% row.port | html_entity %]" data-filter="[% row.port | html_entity %]">
      [% END %]
        <a class="nd_log-icon"
-          href="[% uri_for('/report/portlog') %]?q=[% device.ip | uri %]&f=[% row.port | uri %]">
+          href="[% uri_for('/report/portlog') | none %]?q=[% device.ip | uri %]&f=[% row.port | uri %]">
          <i class="icon-file-text-alt"
            rel="tooltip" data-placement="top" data-offset="3"
            data-animation="" data-title="View Port Log"></i>
@@ -110,13 +110,13 @@
        </span>
      [% END %]
      [% END %]
-        <a class="nd_this-port-only nd_port-only-first" href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.port | uri %]&prefer=port">
+        <a class="nd_this-port-only nd_port-only-first" href="[% device_ports | none %]&q=[% params.q | uri %]&f=[% row.port | uri %]&prefer=port">
          [% IF row.is_master %]
            <small><i class="icon-group muted"></i></small>&nbsp;
          [% END %]
        [% row.port | html_entity %]</a>
        [% IF row.slave_of %]<br/>
-          <a class="nd_this-port-only" href="[% device_ports %]&q=[% params.q | uri %]&f=[% row.slave_of | uri %]&prefer=port">
+          <a class="nd_this-port-only" href="[% device_ports | none %]&q=[% params.q | uri %]&f=[% row.slave_of | uri %]&prefer=port">
          [% row.slave_of | html_entity %]</a>
        [% END %]
      </td>
@@ -204,7 +204,7 @@
      <td>
        [% IF row.vlan AND row.vlan > 0 %]
        <a class="nd_linkcell"
-          href="[% uri_for('/search') %]?tab=vlan&q=[% row.vlan | uri %]">
+          href="[% uri_for('/search') | none %]?tab=vlan&q=[% row.vlan | uri %]">
            [% row.vlan | html_entity %]</a>
        [% END %]
      </td>
@@ -229,7 +229,7 @@
                <div class="nd_collapsing nd_collapse-pre-hidden">' _ output %]
            [% SET output = output _ '</div>' %]
          [% END %]
-          [% output %]
+          [% output | none %]
        [% ELSE %]
        <i class="icon-asterisk text-warning"></i> ([% vlans.$portname.vlan_count %] is too many to list)
        [% END %]
@@ -292,16 +292,16 @@
            [% ELSIF row.remote_is_wap %]
              <i class="icon-rss"></i>&nbsp;
            [% END %]
-            <a href="[% device_ports %]&q=[% row.get_column('neighbor_ip') | uri %]">
+            <a href="[% device_ports | none %]&q=[% row.get_column('neighbor_ip') | uri %]">
                [% row.get_column('neighbor_dns').remove(settings.domain_suffix) || row.get_column('neighbor_ip') | html_entity %]</a>
            [% IF row.remote_port and has_snmp(row.remote_type) %]
                -
-                <a href="[% device_ports %]&q=[% row.get_column('neighbor_ip') | uri %]&f=[% row.remote_port | uri %]&prefer=port">
+                <a href="[% device_ports | none %]&q=[% row.get_column('neighbor_ip') | uri %]&f=[% row.remote_port | uri %]&prefer=port">
                    [% row.remote_port | html_entity %]</a>
            [% END %]
            <br/>
            [% IF params.n_inventory and row.remote_inventory %]
-              [% row.remote_inventory %]<br/>
+              [% row.remote_inventory | html_entity %]<br/>
            [% END %]
            [% IF params.n_detailed_inventory and (row.remote_id or row.remote_type) %]
              ([% 'id: '_ row.remote_id IF row.remote_id %]
@@ -314,14 +314,14 @@
            [% ELSIF row.remote_is_wap %]
              <i class="icon-rss"></i>&nbsp;
            [% END %]
-            <a href="[% search_node %]&q=[% row.remote_ip | uri %]">
+            <a href="[% search_node | none %]&q=[% row.remote_ip | uri %]">
              [% row.remote_ip | html_entity %]
              [% IF row.remote_port and has_snmp(row.remote_type) %]
                - [% row.remote_port | html_entity %]
              [% END %]
            </a><br/>
            [% IF params.n_inventory and row.remote_inventory %]
-              [% row.remote_inventory %]<br/>
+              [% row.remote_inventory | html_entity %]<br/>
            [% END %]
            [% IF params.n_detailed_inventory and (row.remote_id or row.remote_type) %]
              ([% 'id: '_ row.remote_id IF row.remote_id %]
@@ -336,7 +336,7 @@
          [% '<br/>' IF (row.remote_ip OR row.is_uplink) OR NOT loop.first %]
          [% '<i class="icon-book"></i>&nbsp; ' IF NOT node.active %]
          [% '<i class="icon-signal"></i>&nbsp;' IF node.wireless.defined %]
-          <a href="[% search_node %]&q=[% node.net_mac.$mac_format_call | uri %]">
+          <a href="[% search_node | none %]&q=[% node.net_mac.$mac_format_call | uri %]">
            [% node.net_mac.$mac_format_call | html_entity %]</a>
          [% IF (node.vlan > 0) && (node.vlan != row.vlan) %]
            (on vlan [% node.vlan | html_entity %])
@@ -361,23 +361,23 @@
            <br/>&nbsp; [% '<i class="icon-book"></i>&nbsp; ' IF NOT ip.active %]
              [% SET dns = ip.dns %]
              [% IF dns %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% dns %] ([% ip.ip | html_entity %])</a>
+              <a href="[% search_node | none %]&q=[% ip.ip | uri %]">[% dns | html_entity %] ([% ip.ip | html_entity %])</a>
              [% ELSE %]
-              <a href="[% search_node %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
+              <a href="[% search_node | none %]&q=[% ip.ip | uri %]">[% ip.ip | html_entity %]</a>
              [% END %]
            [% END %]
          [% END %]
          [% IF params.n_netbios %]
            [% FOREACH nbt IN node.netbios %]
-            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\<a href="[% uri_for('/report/netbios') %]?domain=[% nbt.domain | uri %]" title="Nodes in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
-            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
+            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\\<a href="[% uri_for('/report/netbios') | none %]?domain=[% nbt.domain | uri %]" title="Nodes in this Domain">[% nbt.domain | html_entity %]</a>\<a href="[% search_node | none %]&q=[% nbt.nbname | uri %]">[% nbt.nbname | html_entity %]</a>
+            <br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[% nbt.nbuser || '[No User]' | html_entity %]@<a href="[% search_node | none %]&q=[% nbt.ip | uri %]">[% nbt.ip | html_entity %]</a>
            [% END %]
          [% END %]
        [% END %]
        [% END %]
        [% IF user_can_port_control AND params.c_admin %]
        <a class="nd_log-icon"
-          href="[% uri_for('/admin/topology') %]?dev1=[% device.ip | uri %]&port1=[% row.port | uri %]">
+          href="[% uri_for('/admin/topology') | none %]?dev1=[% device.ip | uri %]&port1=[% row.port | uri %]">
          <i class="icon-link text-warning"
            rel="tooltip" data-placement="top" data-offset="3"
            data-animation="" data-title="Manual Topology"></i>