Fixed: #125 XSS vulnerabilities for alert/reports page (#131)

Co-authored-by: Jing Chen <three_chenjing@sohu.com>

Author: ddb4github

syslog_alerts.php

@@ -795,8 +795,8 @@ function syslog_alerts() {
 			form_selectable_cell(($alert['method'] == 1 ? $alert['num']:__('N/A', 'syslog')), $alert['id']);
 			form_selectable_cell((($alert['enabled'] == 'on') ? __('Yes', 'syslog'):__('No', 'syslog')), $alert['id']);
 			form_selectable_cell($message_types[$alert['type']], $alert['id']);
-			form_selectable_cell(title_trim($alert['message'],60), $alert['id']);
-			form_selectable_cell((substr_count($alert['email'], ',') ? __('Multiple', 'syslog'):$alert['email']), $alert['id']);
+			form_selectable_cell(title_trim(html_escape($alert['message']),60), $alert['id']);
+			form_selectable_cell((substr_count($alert['email'], ',') ? __('Multiple', 'syslog'):html_escape($alert['email'])), $alert['id']);
 			form_selectable_cell(date('Y-m-d H:i:s', $alert['date']), $alert['id']);
 			form_selectable_cell($alert['user'], $alert['id']);
 			form_checkbox_cell($alert['name'], $alert['id']);

syslog_reports.php

@@ -685,7 +685,7 @@ function syslog_report() {
 			form_selectable_cell(filter_value(title_trim($report['name'], read_config_option('max_title_length')), get_request_var('filter'), $config['url_path'] . 'plugins/syslog/syslog_reports.php?action=edit&id=' . $report['id']), $report['id']);
 			form_selectable_cell((($report['enabled'] == 'on') ? __('Yes', 'syslog'):__('No', 'syslog')), $report['id']);
 			form_selectable_cell($message_types[$report['type']], $report['id']);
-			form_selectable_cell($report['message'], $report['id']);
+			form_selectable_cell(html_escape($report['message']), $report['id']);
 			form_selectable_cell($syslog_freqs[$report['timespan']], $report['id']);
 			form_selectable_cell($syslog_times[$report['timepart']], $report['id']);
 			form_selectable_cell(($report['lastsent'] == 0 ? __('Never', 'syslog'): date('Y-m-d H:i:s', $report['lastsent'])), $report['id']);