fix(security): harden audit detail rendering

Author: somethingwithproof

audit.php

@@ -24,6 +24,7 @@
 
 chdir('../../');
 include_once('./include/auth.php');
+require_once(__DIR__ . '/audit_helpers.php');
 
 set_default_action();
 
@@ -98,9 +99,9 @@
 					}
 
 					if (is_array($content)) {
-						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . $field . '</td><td">' . implode(',', $content) . '</td>';
+						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . audit_html_escape($field) . '</td><td>' . audit_html_escape(implode(',', $content)) . '</td>';
 					} else {
-						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . $field . '</td><td>' . $content . '</td>';
+						$output .= '<td style="font-weight:bold;white-space:nowrap;">' . audit_html_escape($field) . '</td><td>' . audit_html_escape($content) . '</td>';
 					}
 
 					$i++;
@@ -119,7 +120,7 @@
 				$output .= '<tr><td colspan="' . ($columns * 2) . '"><b>' . __('Record Data:', 'audit') . '</b></td></tr>';
 
 				foreach ($recordData as $record) {
-					$output .= '<tr><td colspan="' . ($columns * 2) . '"><pre>' . json_encode($record, JSON_PRETTY_PRINT) . '</pre></td></tr>';
+					$output .= '<tr><td colspan="' . ($columns * 2) . '"><pre>' . audit_html_escape(json_encode($record, JSON_PRETTY_PRINT)) . '</pre></td></tr>';
 				}
 			} else {
 				$output .= '</table>';
@@ -163,8 +164,9 @@ function audit_export_rows() {
 		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' page = ' . db_qstr(get_request_var('event_page'));
 	}
 
-	if (!isempty_request_var('user_id') && get_request_var('user_id') > '-1') {
-		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . get_request_var('user_id');
+	$user_id = audit_normalize_int(get_request_var('user_id'), -1);
+	if ($user_id > -1) {
+		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . $user_id;
 	}
 
 	$events = db_fetch_assoc("SELECT audit_log.*, user_auth.username
@@ -357,8 +359,9 @@ function audit_log() {
 		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' page = ' . db_qstr(get_request_var('event_page'));
 	}
 
-	if (!isempty_request_var('user_id') && get_request_var('user_id') > '-1') {
-		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . get_request_var('user_id');
+	$user_id = audit_normalize_int(get_request_var('user_id'), -1);
+	if ($user_id > -1) {
+		$sql_where .= ($sql_where != '' ? ' AND ':'WHERE ') . ' user_id = ' . $user_id;
 	}
 
 	$total_rows = db_fetch_cell("SELECT
@@ -463,4 +466,3 @@ function audit_log() {
 	<script type='text/javascript' src='plugins/audit/js/functions.js'></script>
 	<?php
 }
-

audit_helpers.php

@@ -0,0 +1,34 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Shared helpers for audit request normalization and output escaping.     |
+ +-------------------------------------------------------------------------+
+ */
+
+if (!function_exists('audit_normalize_int')) {
+	function audit_normalize_int($value, $default = -1) {
+		if (is_int($value)) {
+			return $value;
+		}
+
+		if (is_string($value) && preg_match('/^-?[0-9]+$/', $value)) {
+			return (int)$value;
+		}
+
+		return (int)$default;
+	}
+}
+
+if (!function_exists('audit_html_escape')) {
+	function audit_html_escape($value) {
+		$value = (string)$value;
+
+		if (function_exists('html_escape')) {
+			return html_escape($value);
+		}
+
+		return htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
+	}
+}

tests/Integration/test_detail_render_escaping.php

@@ -0,0 +1,45 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Integration checks for audit detail escaping helpers.                   |
+ |                                                                         |
+ | Run: php tests/integration/test_detail_render_escaping.php              |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+require_once __DIR__ . '/../../audit_helpers.php';
+
+$rendered_field = audit_html_escape('"><img src=x onerror=alert(1)>');
+$rendered_json  = audit_html_escape(json_encode(array('payload' => '<svg onload=alert(1)>')));
+
+assert_true(
+	'field names are escaped before rendering',
+	strpos($rendered_field, '<img') === false && strpos($rendered_field, '&lt;img') !== false
+);
+
+assert_true(
+	'record data json is escaped before rendering',
+	strpos($rendered_json, '<svg') === false && strpos($rendered_json, '&lt;svg') !== false
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);

tests/Unit/test_security_helpers.php

@@ -0,0 +1,47 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | Unit checks for audit security helpers.                                 |
+ |                                                                         |
+ | Run: php tests/unit/test_security_helpers.php                           |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+require_once __DIR__ . '/../../audit_helpers.php';
+
+assert_true(
+	'integer normalization keeps valid integers',
+	audit_normalize_int('42', -1) === 42
+);
+
+assert_true(
+	'integer normalization rejects mixed payloads',
+	audit_normalize_int('0 OR 1=1', -1) === -1
+);
+
+assert_true(
+	'html escaping encodes script payloads',
+	audit_html_escape('<script>alert(1)</script>') === '&lt;script&gt;alert(1)&lt;/script&gt;'
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);

tests/e2e/test_security_wiring.php

@@ -0,0 +1,48 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ |                                                                         |
+ | End-to-end wiring checks for audit security fixes.                      |
+ |                                                                         |
+ | Run: php tests/e2e/test_security_wiring.php                             |
+ +-------------------------------------------------------------------------+
+ */
+
+$pass = 0;
+$fail = 0;
+
+function assert_true($label, $value) {
+	global $pass, $fail;
+
+	if ($value) {
+		echo "PASS  $label\n";
+		$pass++;
+	} else {
+		echo "FAIL  $label\n";
+		$fail++;
+	}
+}
+
+$source = file_get_contents(__DIR__ . '/../../audit.php');
+
+assert_true(
+	'user_id filter uses integer normalization before SQL concatenation',
+	substr_count($source, "audit_normalize_int(get_request_var('user_id'), -1)") === 2
+);
+
+assert_true(
+	'detail popup escapes field names and values',
+	strpos($source, "audit_html_escape(\$field)") !== false &&
+	strpos($source, "audit_html_escape(\$content)") !== false
+);
+
+assert_true(
+	'record data json is escaped before rendering',
+	strpos($source, "audit_html_escape(json_encode(\$record, JSON_PRETTY_PRINT))") !== false
+);
+
+echo "\n";
+echo "Results: $pass passed, $fail failed\n";
+
+exit($fail > 0 ? 1 : 0);