diff --git a/front/deviceDetails.php b/front/deviceDetails.php index 06b7214f..4961f278 100755 --- a/front/deviceDetails.php +++ b/front/deviceDetails.php @@ -1288,7 +1288,7 @@ function getDeviceData (readAllData=false) { if (deviceData['dev_Favorite'] == 1) {$('#chkFavorite').iCheck('check');} else {$('#chkFavorite').iCheck('uncheck');} $('#txtGroup').val (deviceData['dev_Group']); $('#txtLocation').val (deviceData['dev_Location']); - $('#txtComments').val (deviceData['dev_Comments']); + $('#txtComments').val (decodeSpecialChars(deviceData['dev_Comments'])); $('#txtNetworkNodeMac').val ( networkParentMacName) ; $('#txtNetworkNodeMac').attr ('data-mynodemac', deviceData['dev_Network_Node_MAC_ADDR']); $('#txtNetworkPort').val (deviceData['dev_Network_Node_port']); @@ -1429,7 +1429,7 @@ function setDeviceData (direction='', refreshCallback='') { + '&favorite=' + ($('#chkFavorite')[0].checked * 1) + '&group=' + encodeURIComponent($('#txtGroup').val()) + '&location=' + encodeURIComponent($('#txtLocation').val()) - + '&comments=' + encodeURIComponent($('#txtComments').val()) + + '&comments=' + encodeURIComponent(encodeSpecialChars($('#txtComments').val())) + '&networknode=' + $('#txtNetworkNodeMac').attr('data-mynodemac') + '&networknodeport=' + $('#txtNetworkPort').val() + '&ssid=' + $('#txtSSID').val() diff --git a/front/js/common.js b/front/js/common.js index 2db71c85..721c974a 100755 --- a/front/js/common.js +++ b/front/js/common.js @@ -383,6 +383,26 @@ function isValidJSON(jsonString) { } } +// method to sanitize input so that HTML and other things don't break +function encodeSpecialChars(str) { + return str + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, '''); +} + +function decodeSpecialChars(str) { + return str + .replace(/&/g, '&') + .replace(/</g, '<') + .replace(/>/g, '>') + .replace(/"/g, '"') + .replace(/'/g, '\''); +} + + // ----------------------------------------------------------------------------- // General utilities // ----------------------------------------------------------------------------- diff --git a/front/php/server/devices.php b/front/php/server/devices.php index a7c44219..041ee328 100755 --- a/front/php/server/devices.php +++ b/front/php/server/devices.php @@ -428,41 +428,39 @@ function ExportCSV() { $func_result = $db->query("SELECT * FROM Devices"); // prepare CSV header row - // header array with column names $columns = getDevicesColumns(); // wrap the headers with " (quotes) - $resultCSV = '"'.implode('","', $columns).'"'; - - //and append a new line - $resultCSV = $resultCSV."\n"; + $resultCSV = '"'.implode('","', $columns).'"'."\n"; // retrieve the devices from the DB - while ($row = $func_result -> fetchArray (SQLITE3_ASSOC)) { + while ($row = $func_result->fetchArray(SQLITE3_ASSOC)) { // loop through columns and add values to the string $index = 0; foreach ($columns as $columnName) { + // Escape special chars (e.g.quotes) inside fields by replacing them with html definitions + $fieldValue = encodeSpecialChars($row[$columnName]); // add quotes around the value to prevent issues with commas in fields - $resultCSV = $resultCSV.'"'.$row[$columnName].'"'; + $resultCSV .= '"'.$fieldValue.'"'; // detect last loop - skip as no comma needed - if ($index != count($columns) - 1 ) - { - $resultCSV = $resultCSV.','; + if ($index != count($columns) - 1) { + $resultCSV .= ','; } $index++; } - //$resultCSV = $resultCSV.implode(",", [$row["dev_MAC"], $row["dev_Name"]]); - $resultCSV = $resultCSV."\n"; + // add a new line for the next row + $resultCSV .= "\n"; } //write the built CSV string echo $resultCSV; } + //------------------------------------------------------------------------------ // Import CSV of devices //------------------------------------------------------------------------------ diff --git a/front/php/server/util.php b/front/php/server/util.php index 8f650050..dd43dd92 100755 --- a/front/php/server/util.php +++ b/front/php/server/util.php @@ -524,6 +524,25 @@ function handleNull ($text, $default = "") { } +// ------------------------------------------------------------------------------------------- +// Encode special chars +function encodeSpecialChars($str) { + return str_replace( + ['&', '<', '>', '"', "'"], + ['&', '<', '>', '"', '''], + $str + ); +} + +// ------------------------------------------------------------------------------------------- +// Decode special chars +function decodeSpecialChars($str) { + return str_replace( + ['&', '<', '>', '"', '''], + ['&', '<', '>', '"', "'"], + $str + ); +} // -------------------------------------------------------------------------------------------