Merge commit from fork

Alternative advisory fix, including the fix for the Lua function

Author: PromoFaux

scripts/js/charts.js

@@ -5,7 +5,7 @@
  *  This file is copyright under the latest version of the EUPL.
  *  Please see LICENSE file for your rights under this license. */
 
-/* global upstreamIPs:false */
+/* global upstreamIPs:false, utils:false */
 
 "use strict";
 
@@ -211,7 +211,7 @@ function setTooltipContent(tooltipEl, tooltip) {
   let tooltipHtml = "<thead>";
 
   for (const title of titleLines) {
-    tooltipHtml += `<tr><th>${title}</th></tr>`;
+    tooltipHtml += `<tr><th>${utils.escapeHtml(title)}</th></tr>`;
   }
 
   tooltipHtml += "</thead><tbody>";
@@ -231,7 +231,7 @@ function setTooltipContent(tooltipEl, tooltip) {
     // Do not display entries with value of 0 in bar chart,
     // but pass through entries with "0.0%" (in pie charts)
     if (num[1] !== "0") {
-      tooltipHtml += `<tr><td>${span}${body}</td></tr>`;
+      tooltipHtml += `<tr><td>${span}${utils.escapeHtml(body.toString())}</td></tr>`;
       printed++;
     }
   }

scripts/js/network.js

@@ -163,7 +163,9 @@ $(() => {
 
         // Only add IPs to the table if we have not reached the maximum
         if (ips.length < MAXIPDISPLAY) {
-          ips.push(`<a href="queries?client_ip=${ip}">${iptext}</a>`);
+          ips.push(
+            `<a href="queries?client_ip=${encodeURIComponent(ip)}">${utils.escapeHtml(iptext)}</a>`
+          );
         }
       }
 

scripts/js/queries.js

@@ -159,7 +159,7 @@ function parseQueryStatus(data) {
       icon = "fa-solid fa-cloud-download-alt";
       fieldtext =
         (data.reply.type !== "UNKNOWN" ? "Forwarded, reply from " : "Forwarded to ") +
-        data.upstream;
+        utils.escapeHtml(data.upstream);
       buttontext =
         '<button type="button" class="btn btn-default btn-sm text-red btn-blacklist"><i class="fa fa-ban"></i> Deny</button>';
       break;
@@ -270,14 +270,14 @@ function parseQueryStatus(data) {
     case "SPECIAL_DOMAIN":
       colorClass = "text-red";
       icon = "fa-solid fa-ban";
-      fieldtext = data.status;
+      fieldtext = utils.escapeHtml(data.status);
       buttontext = "";
       blocked = true;
       break;
     default:
       colorClass = "text-orange";
       icon = "fa-solid fa-question";
-      fieldtext = data.status;
+      fieldtext = utils.escapeHtml(data.status);
       buttontext = "";
   }
 
@@ -374,7 +374,10 @@ function formatInfo(data) {
   let cnameInfo = "";
   if (queryStatus.isCNAME) {
     cnameInfo =
-      divStart + "Query was blocked during CNAME inspection of&nbsp;&nbsp;" + data.cname + "</div>";
+      divStart +
+      "Query was blocked during CNAME inspection of&nbsp;&nbsp;" +
+      utils.escapeHtml(data.cname) +
+      "</div>";
   }
 
   // Show TTL if applicable
@@ -392,8 +395,8 @@ function formatInfo(data) {
   // Show client information, show hostname only if available
   const ipInfo =
     data.client.name !== null && data.client.name.length > 0
-      ? utils.escapeHtml(data.client.name) + " (" + data.client.ip + ")"
-      : data.client.ip;
+      ? utils.escapeHtml(data.client.name) + " (" + utils.escapeHtml(data.client.ip) + ")"
+      : utils.escapeHtml(data.client.ip);
   const clientInfo = divStart + "Client:&nbsp;&nbsp;<strong>" + ipInfo + "</strong></div>";
 
   // Show DNSSEC status if applicable
@@ -418,7 +421,7 @@ function formatInfo(data) {
   let replyInfo = "";
   replyInfo =
     data.reply.type !== "UNKNOWN"
-      ? divStart + "Reply:&nbsp;&nbsp;" + data.reply.type + "</div>"
+      ? divStart + `Reply:&nbsp;&nbsp;${utils.escapeHtml(data.reply.type)}</div>`
       : divStart + "Reply:&nbsp;&nbsp;No reply received</div>";
 
   // Show extended DNS error if applicable
@@ -429,7 +432,7 @@ function formatInfo(data) {
       edeInfo += ' class="' + dnssec.color + '"';
     }
 
-    edeInfo += ">" + data.ede.text + "</strong></div>";
+    edeInfo += ">" + utils.escapeHtml(data.ede.text) + "</strong></div>";
   }
 
   // Compile extra info for displaying
@@ -640,7 +643,7 @@ $(() => {
             " " +
             querystatus.colorClass +
             "' title='" +
-            utils.escapeHtml(querystatus.fieldtext) +
+            querystatus.fieldtext +
             "'></i>"
         );
       } else if (querystatus.colorClass !== false) {

scripts/js/settings-advanced.js

@@ -90,9 +90,9 @@ function valueDetails(key, value) {
         '<label class="col-sm-2 control-label">Value <small>(string)</small></label>' +
         '<div class="col-sm-10">' +
         '<input type="text" class="form-control" value="' +
-        value.value +
+        utils.escapeHtml(value.value) +
         '" data-key="' +
-        key +
+        utils.escapeHtml(key) +
         '"' +
         extraAttributes +
         "> " +
@@ -129,9 +129,9 @@ function valueDetails(key, value) {
         '<label class="col-sm-2 control-label">Value</label>' +
         '<div class="col-sm-10">' +
         '<input type="number" class="form-control" value="' +
-        value.value +
+        utils.escapeHtml(String(value.value)) +
         '" data-key="' +
-        key +
+        utils.escapeHtml(key) +
         '" data-type="float"' +
         extraAttributes +
         "> " +
@@ -146,9 +146,9 @@ function valueDetails(key, value) {
         '<label class="col-sm-2 control-label">Value <small>(integer)</small></label>' +
         '<div class="col-sm-10">' +
         '<input type="number" step="1" class="form-control" value="' +
-        value.value +
+        utils.escapeHtml(String(value.value)) +
         '" data-key="' +
-        key +
+        utils.escapeHtml(key) +
         '" data-type="integer"' +
         extraAttributes +
         "> " +
@@ -163,9 +163,9 @@ function valueDetails(key, value) {
         '<label class="col-sm-4 control-label">Value <small>(unsigned integer)</small></label>' +
         '<div class="col-sm-8">' +
         '<input type="number" step="1" min="0" class="form-control" value="' +
-        value.value +
+        utils.escapeHtml(String(value.value)) +
         '" data-key="' +
-        key +
+        utils.escapeHtml(key) +
         '" data-type="integer"' +
         extraAttributes +
         "> " +
@@ -180,9 +180,9 @@ function valueDetails(key, value) {
         '<label class="col-sm-4 control-label">Value <small>(unsigned 16bit integer)</small></label>' +
         '<div class="col-sm-8">' +
         '<input type="number" step="1" min="0" max="65535" class="form-control" value="' +
-        value.value +
+        utils.escapeHtml(String(value.value)) +
         '" data-key="' +
-        key +
+        utils.escapeHtml(key) +
         '" data-type="integer"' +
         extraAttributes +
         "> " +

scripts/js/taillog.js

@@ -98,7 +98,7 @@ function getData() {
   // Validate that file parameter is one of the allowed values
   if (!allowedFileParams.includes(queryParams.file)) {
     const errorMessage = `Invalid file parameter: ${queryParams.file}. Allowed values are: ${allowedFileParams.join(", ")}`;
-    outputElement.innerHTML = `<div><em class="text-danger">*** Error: ${errorMessage} ***</em></div>`;
+    outputElement.innerHTML = `<div><em class="text-danger">*** Error: ${utils.escapeHtml(errorMessage)} ***</em></div>`;
     return;
   }
 

scripts/lua/header.lp

@@ -47,13 +47,13 @@ end
 
 -- Function to sanitize hostname containing invalid HTML characters
 function sanitize_hostname(str)
-    -- Check if string contains any of the HTML special characters
-    if str:find("&<>\"'") then
-        return "invalid hostname"
-    end
-
-    -- Return the original string if no special characters are found
-    return str
+    return str:gsub("[&<>\"']", {
+        ["&"] = "&amp;",
+        ["<"] = "&lt;",
+        [">"] = "&gt;",
+        ['"'] = "&quot;",
+        ["'"] = "&#039;"
+    })
 end
 
 -- Sanitize hostname