Fixed: Update more lines to resolve XSS exposure (CVE-2020-7106) (#122)

* Fixed: Update more lines to apply Cacti #3191 security solution(CVE-2020-7106)

* Update changelog in README.md for #122

Co-authored-by: Jing Chen <three_chenjing@sohu.com>

Author: ddb4github

README.md

@@ -155,20 +155,24 @@ that.
 
 ## ChangeLog
 
+--- develop ---
+
+* issue#122: Apply Cacti#3191 for XSS exposure (CVE-2020-7106)
+
 --- 2.9 ---
 
 * issue#120: SQL syntax error for syslog when click browser back button
 
-* issue: Syslog stats not reporting properly
-
+* issue: Syslog stats not reporting properly
+
 * issue: Internationalization issues on console
 
 --- 2.8 ---
 
 * issue#115: Some field where not corrected following the version change
 
-* issue#116: Background process fail to operate syslog_coming table; syslog_process.php fail if current workdir is not CACTI_TOP
-
+* issue#116: Background process fail to operate syslog_coming table; syslog_process.php fail if current workdir is not CACTI_TOP
+
 * issue#117: Export of rules does not work when using db other than Cacti
 
 --- 2.7 ---

syslog_alerts.php

@@ -930,9 +930,9 @@ function alert_import() {
 				$id = sql_save($save, 'syslog_alert');
 
 				if ($id) {
-					raise_message('syslog_info' . $id, __('NOTE: Alert \'%s\' %s!', $tname, ($save['id'] > 0 ? __('Updated', 'syslog'):__('Imported', 'syslog')), 'syslog'), MESSAGE_LEVEL_INFO);
+					raise_message('syslog_info' . $id, __esc('NOTE: Alert \'%s\' %s!', $tname, ($save['id'] > 0 ? __('Updated', 'syslog'):__('Imported', 'syslog')), 'syslog'), MESSAGE_LEVEL_INFO);
 				} else {
-					raise_message('syslog_info' . $id, __('ERROR: Alert \'%s\' %s Failed!', $tname, ($save['id'] > 0 ? __('Update', 'syslog'):__('Import', 'syslog')), 'syslog'), MESSAGE_LEVEL_ERROR);
+					raise_message('syslog_info' . $id, __esc('ERROR: Alert \'%s\' %s Failed!', $tname, ($save['id'] > 0 ? __('Update', 'syslog'):__('Import', 'syslog')), 'syslog'), MESSAGE_LEVEL_ERROR);
 				}
 			}
 		}

syslog_process.php

@@ -363,7 +363,7 @@
 						$alertm .= __('Count:', 'syslog')          . ' ' . sizeof($at)       . "\n";
 						$alertm .= __('Message String:', 'syslog') . ' ' . html_escape($alert['message']) . "\n";
 
-						$htmlm  .= '<body><h1>' . __('Cacti Syslog Plugin Threshold Alert \'%s\'', $alert['name'], 'syslog') . '</h1>';
+						$htmlm  .= '<body><h1>' . __esc('Cacti Syslog Plugin Threshold Alert \'%s\'', $alert['name'], 'syslog') . '</h1>';
 						$htmlm  .= '<table cellspacing="0" cellpadding="3" border="1">';
 						$htmlm  .= '<tr><th>' . __('Alert Name', 'syslog') . '</th><th>' . __('Severity', 'syslog') . '</th><th>' . __('Threshold', 'syslog') . '</th><th>' . __('Count', 'syslog') . '</th><th>' . __('Match String', 'syslog') . '</th></tr>';
 						$htmlm  .= '<tr><td>' . html_escape($alert['name']) . '</td>';
@@ -372,7 +372,7 @@
 						$htmlm  .= '<td>'     . sizeof($at)       . '</td>';
 						$htmlm  .= '<td>'     . html_escape($alert['message']) . '</td></tr></table><br>';
 					}else{
-						$htmlm .= '<body><h1>' . __('Cacti Syslog Plugin Alert \'%s\'', $alert['name'], 'syslog') . '</h1>';
+						$htmlm .= '<body><h1>' . __esc('Cacti Syslog Plugin Alert \'%s\'', $alert['name'], 'syslog') . '</h1>';
 					}
 
 					$htmlm .= '<table>';
@@ -423,7 +423,7 @@
 								$sequence = syslog_log_alert($alert['id'], $alert['name'], $alert['severity'], $a, 1, $htmlm);
 								$smsalert = __('Sev:', 'syslog') . $severities[$alert['severity']] . __(', Host:', 'syslog') . $a['host'] . __(', URL:', 'syslog') . read_config_option('base_url', true) . '/plugins/syslog/syslog.php?tab=current&id=' . $sequence;
 
-								syslog_sendemail(trim($alert['email']), $from, __('Event Alert - %s', $alert['name'], 'syslog'), ($html ? $htmlm:$alertm), $smsalert);
+								syslog_sendemail(trim($alert['email']), $from, __esc('Event Alert - %s', $alert['name'], 'syslog'), ($html ? $htmlm:$alertm), $smsalert);
 
 								if ($alert['open_ticket'] == 'on' && strlen(read_config_option('syslog_ticket_command'))) {
 									if (is_executable(read_config_option('syslog_ticket_command'))) {
@@ -472,7 +472,7 @@
 			}
 
 			if ($resend) {
-				syslog_sendemail(trim($alert['email']), $from, __('Event Alert - %s', $alert['name'], 'syslog'), ($html ? $htmlm:$alertm), $smsalert);
+				syslog_sendemail(trim($alert['email']), $from, __esc('Event Alert - %s', $alert['name'], 'syslog'), ($html ? $htmlm:$alertm), $smsalert);
 
 				if ($alert['open_ticket'] == 'on' && strlen(read_config_option('syslog_ticket_command'))) {
 					if (is_executable(read_config_option('syslog_ticket_command'))) {
@@ -699,7 +699,7 @@
 
 					$smsalert  = '';
 
-					syslog_sendemail($syslog_report['email'], $from, __('Event Report - %s', $syslog_report['name'], 'syslog'), $headtext, $smsalert);
+					syslog_sendemail($syslog_report['email'], $from, __esc('Event Report - %s', $syslog_report['name'], 'syslog'), $headtext, $smsalert);
 				}
 			}
 		} else {

syslog_removal.php

@@ -341,7 +341,7 @@ function api_syslog_removal_reprocess($id) {
 		WHERE id = ?',
 		array($id));
 
-	raise_message('syslog_info' . $id, __('Rule \'%s\' resulted in %s/%s messages removed/transferred', $name, $syslog_removed, $syslog_xferred, 'syslog'), MESSAGE_LEVEL_INFO);
+	raise_message('syslog_info' . $id, __esc('Rule \'%s\' resulted in %s/%s messages removed/transferred', $name, $syslog_removed, $syslog_xferred, 'syslog'), MESSAGE_LEVEL_INFO);
 }
 
 /* ---------------------
@@ -839,9 +839,9 @@ function removal_import() {
 				$id = sql_save($save, 'syslog_remove');
 
 				if ($id) {
-					raise_message('syslog_info' . $id, __('NOTE: Removal Rule \'%s\' %s!', $tname, ($save['id'] > 0 ? __('Updated', 'syslog'):__('Imported', 'syslog')), 'syslog'), MESSAGE_LEVEL_INFO);
+					raise_message('syslog_info' . $id, __esc('NOTE: Removal Rule \'%s\' %s!', $tname, ($save['id'] > 0 ? __('Updated', 'syslog'):__('Imported', 'syslog')), 'syslog'), MESSAGE_LEVEL_INFO);
 				} else {
-					raise_message('syslog_info' . $id, __('ERROR: Removal Rule \'%s\' %s Failed!', $tname, ($save['id'] > 0 ? __('Update', 'syslog'):__('Import', 'syslog')), 'syslog'), MESSAGE_LEVEL_ERROR);
+					raise_message('syslog_info' . $id, __esc('ERROR: Removal Rule \'%s\' %s Failed!', $tname, ($save['id'] > 0 ? __('Update', 'syslog'):__('Import', 'syslog')), 'syslog'), MESSAGE_LEVEL_ERROR);
 				}
 			}
 		}

syslog_reports.php

@@ -822,9 +822,9 @@ function report_import() {
 				$id = sql_save($save, 'syslog_reports');
 
 				if ($id) {
-					raise_message('syslog_info' . $id, __('NOTE: Report Rule \'%s\' %s!', $tname, ($save['id'] > 0 ? __('Updated', 'syslog'):__('Imported', 'syslog')), 'syslog'), MESSAGE_LEVEL_INFO);
+					raise_message('syslog_info' . $id, __esc('NOTE: Report Rule \'%s\' %s!', $tname, ($save['id'] > 0 ? __('Updated', 'syslog'):__('Imported', 'syslog')), 'syslog'), MESSAGE_LEVEL_INFO);
 				} else {
-					raise_message('syslog_info' . $id, __('ERROR: Report Rule \'%s\' %s Failed!', $tname, ($save['id'] > 0 ? __('Update', 'syslog'):__('Import', 'syslog')), 'syslog'), MESSAGE_LEVEL_ERROR);
+					raise_message('syslog_info' . $id, __esc('ERROR: Report Rule \'%s\' %s Failed!', $tname, ($save['id'] > 0 ? __('Update', 'syslog'):__('Import', 'syslog')), 'syslog'), MESSAGE_LEVEL_ERROR);
 				}
 			}
 		}