From cfbb2c7b6c4d10a53f3f5dfc227c8daaa69caf69 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 18:02:50 -0500 Subject: [PATCH 1/8] htmlspecialchars --- webroot/admin/ajax/get_group_members.php | 28 ++++++++++++++---------- webroot/admin/pi-mgmt.php | 18 ++++++++------- webroot/admin/user-mgmt.php | 19 ++++++++-------- webroot/panel/pi.php | 6 ++--- 4 files changed, 38 insertions(+), 33 deletions(-) diff --git a/webroot/admin/ajax/get_group_members.php b/webroot/admin/ajax/get_group_members.php index 7d0dbde8e..cf99ea348 100644 --- a/webroot/admin/ajax/get_group_members.php +++ b/webroot/admin/ajax/get_group_members.php @@ -26,10 +26,12 @@ } else { echo ""; } - $fullname = $attributes["gecos"][0]; - $mail = $attributes["mail"][0]; + $_uid = htmlspecialchars($uid); + $fullname = htmlspecialchars($attributes["gecos"][0]); + $mail = htmlspecialchars($attributes["mail"][0]); + $gid = htmlspecialchars($group->gid); echo "$fullname"; - echo "$uid"; + echo "$_uid"; echo "$mail"; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -38,13 +40,13 @@ action='' method='POST' onsubmit=' - return confirm(\"Are you sure you want to remove $uid from this group?\"); + return confirm(\"Are you sure you want to remove $_uid from this group?\"); ' > $CSRFTokenHiddenFormInput - - + + "; @@ -59,20 +61,22 @@ } else { echo ""; } - $name = $user->getFullName(); - $email = $user->getMail(); + $name = htmlspecialchars($user->getFullName()); + $uid = htmlspecialchars($user->uid); + $email = htmlspecialchars($user->getMail()); + $gid = htmlspecialchars($group->gid); echo "$name"; - echo "$user->uid"; + echo "$uid"; echo "$email"; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "
+ onsubmit='return confirm(\"Are you sure you want to approve $uid ?\");'> $CSRFTokenHiddenFormInput - - + +
"; echo ""; diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php index 135a10310..7913329f8 100644 --- a/webroot/admin/pi-mgmt.php +++ b/webroot/admin/pi-mgmt.php @@ -69,14 +69,14 @@ $requests = $SQL->getRequests(UnitySQL::REQUEST_BECOME_PI); foreach ($requests as $request) { - $uid = $request["uid"]; + $uid = htmlspecialchars($request["uid"]); $request_user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); - $name = $request_user->getFullname(); - $email = $request_user->getMail(); + $gecos = htmlspecialchars($request_user->getFullname()); + $mail = htmlspecialchars($request_user->getMail()); echo ""; - echo "$name"; + echo "$gecos"; echo "$uid"; - echo "$email"; + echo "$mail"; echo "" . date("jS F, Y", strtotime($request['timestamp'])) . ""; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -123,10 +123,12 @@ class="filterSearch" ); usort($owner_attributes, fn($a, $b) => strcmp($a["uid"][0], $b["uid"][0])); foreach ($owner_attributes as $attributes) { - $mail = $attributes["mail"][0]; + $gecos = htmlspecialchars($attributes["gecos"][0]); + $gid = htmlspecialchars(UnityGroup::OwnerUID2GID($attributes["uid"][0])); + $mail = htmlspecialchars($attributes["mail"][0]); echo ""; - echo "" . $attributes["gecos"][0] . ""; - echo "" . UnityGroup::OwnerUID2GID($attributes["uid"][0]) . ""; + echo "$gecos"; + echo "$gid"; echo "$mail"; echo ""; } diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index f327aa78f..a06cc8568 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -56,25 +56,24 @@ class="filterSearch" ); usort($user_attributes, fn ($a, $b) => strcmp($a["uid"][0], $b["uid"][0])); foreach ($user_attributes as $attributes) { - $uid = $attributes["uid"][0]; + $uid = htmlspecialchars($attributes["uid"][0]); + $gecos = htmlspecialchars($attributes["gecos"][0]); + $org = htmlspecialchars($attributes["o"][0]); + $mail = htmlspecialchars($attributes["mail"][0]); if ($SQL->accDeletionRequestExists($uid)) { echo ""; } else { echo ""; } - echo "" . $attributes["gecos"][0] . ""; - echo "" . $uid . ""; - echo "" . $attributes["o"][0] . ""; - echo " - - " . $attributes["mail"][0] . " - - "; + echo "$gecos"; + echo "$uid"; + echo "$org"; + echo "$mail"; echo ""; if (count($UID2PIGIDs[$uid]) > 0) { echo ""; foreach ($UID2PIGIDs[$uid] as $gid) { - echo ""; + echo ""; } echo "
$gid
" . htmlspecialchars($gid) . "
"; } diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php index fc031d647..ede562cc7 100644 --- a/webroot/panel/pi.php +++ b/webroot/panel/pi.php @@ -57,9 +57,9 @@ echo ""; foreach ($requests as [$user, $timestamp]) { - $uid = $user->uid; - $name = $user->getFullName(); - $email = $user->getMail(); + $uid = htmlspecialchars($user->uid); + $name = htmlspecialchars($user->getFullName()); + $email = htmlspecialchars($user->getMail()); $date = date("jS F, Y", strtotime($timestamp)); echo ""; echo ""; From 372d17e218cc8d9813aa38aacbfb431b6c7c262b Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 18:08:08 -0500 Subject: [PATCH 2/8] copilot escape from mail templates --- resources/mail/account_deletion_request_admin.php | 6 +++--- .../mail/account_deletion_request_cancelled_admin.php | 6 +++--- resources/mail/group_disband.php | 2 +- resources/mail/group_join_request_cancelled.php | 2 +- resources/mail/group_request_admin.php | 8 ++++---- resources/mail/group_request_cancelled.php | 2 +- resources/mail/group_user_added.php | 2 +- resources/mail/group_user_added_owner.php | 10 +++++----- resources/mail/group_user_denied.php | 2 +- resources/mail/group_user_denied_owner.php | 10 +++++----- resources/mail/group_user_removed.php | 2 +- resources/mail/group_user_removed_owner.php | 10 +++++----- resources/mail/group_user_request.php | 2 +- resources/mail/group_user_request_owner.php | 10 +++++----- resources/mail/user_flag_added.php | 4 ++-- resources/mail/user_flag_added_admin.php | 10 +++++----- resources/mail/user_flag_removed_admin.php | 10 +++++----- resources/mail/user_loginshell.php | 2 +- resources/mail/user_sshkey.php | 2 +- 19 files changed, 51 insertions(+), 51 deletions(-) diff --git a/resources/mail/account_deletion_request_admin.php b/resources/mail/account_deletion_request_admin.php index 6d8fde1ad..440324da2 100644 --- a/resources/mail/account_deletion_request_admin.php +++ b/resources/mail/account_deletion_request_admin.php @@ -8,9 +8,9 @@

A user has requested deletion of their account. User details are below:

- Username + Username
- Name + Name
- Email + Email

diff --git a/resources/mail/account_deletion_request_cancelled_admin.php b/resources/mail/account_deletion_request_cancelled_admin.php index 39f105fbe..869c271ef 100644 --- a/resources/mail/account_deletion_request_cancelled_admin.php +++ b/resources/mail/account_deletion_request_cancelled_admin.php @@ -7,9 +7,9 @@

A user has cancelled their request for account deletion. User details are below:

- Username + Username
- Name + Name
- Email + Email

diff --git a/resources/mail/group_disband.php b/resources/mail/group_disband.php index f40129767..fd1c67d4b 100644 --- a/resources/mail/group_disband.php +++ b/resources/mail/group_disband.php @@ -5,7 +5,7 @@

Hello,

-

Your PI group, , has been disbanded on the UnityHPC Platform. +

Your PI group, , has been disbanded on the UnityHPC Platform. Any jobs associated with this PI account have been killed.

If you believe this to be a mistake, please reply to this email

diff --git a/resources/mail/group_join_request_cancelled.php b/resources/mail/group_join_request_cancelled.php index 90119b807..e61b3a618 100644 --- a/resources/mail/group_join_request_cancelled.php +++ b/resources/mail/group_join_request_cancelled.php @@ -1,4 +1,4 @@ Subject = "Unity PI Membership Request Cancelled: '" . $data["uid"] . "'"; ?>

Hello,

-

The user '' has cancelled their request to join your PI group.

+

The user '' has cancelled their request to join your PI group.

diff --git a/resources/mail/group_request_admin.php b/resources/mail/group_request_admin.php index 0dfd82011..41eda93a1 100644 --- a/resources/mail/group_request_admin.php +++ b/resources/mail/group_request_admin.php @@ -8,13 +8,13 @@

A user has requested a PI account. User details are below:

- Username + Username
- Organization + Organization
- Name + Name
- Email + Email

diff --git a/resources/mail/group_request_cancelled.php b/resources/mail/group_request_cancelled.php index 1af2e8bba..324a5f941 100644 --- a/resources/mail/group_request_cancelled.php +++ b/resources/mail/group_request_cancelled.php @@ -1,4 +1,4 @@ Subject = "PI Request Cancelled: '" . $data["uid"] . "'"; ?>

Hello,

-

The user '' has cancelled their request to become a PI.

+

The user '' has cancelled their request to become a PI.

diff --git a/resources/mail/group_user_added.php b/resources/mail/group_user_added.php index 1fb9d6bde..7396206f1 100644 --- a/resources/mail/group_user_added.php +++ b/resources/mail/group_user_added.php @@ -5,7 +5,7 @@

Hello,

-

You have been approved to join the PI group . +

You have been approved to join the PI group . Navigate to the page to see your PI groups.

diff --git a/resources/mail/group_user_added_owner.php b/resources/mail/group_user_added_owner.php index a082f30eb..371b5b9d7 100644 --- a/resources/mail/group_user_added_owner.php +++ b/resources/mail/group_user_added_owner.php @@ -7,18 +7,18 @@

A new user has been added to your PI group, -''. +''. The details of the new user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_denied.php b/resources/mail/group_user_denied.php index 8e1f2ae0c..fcfb602bd 100644 --- a/resources/mail/group_user_denied.php +++ b/resources/mail/group_user_denied.php @@ -5,6 +5,6 @@

Hello,

-

You have been denied from joining the PI group .

+

You have been denied from joining the PI group .

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_denied_owner.php b/resources/mail/group_user_denied_owner.php index f98b161f2..d15d79e07 100644 --- a/resources/mail/group_user_denied_owner.php +++ b/resources/mail/group_user_denied_owner.php @@ -5,17 +5,17 @@

Hello,

-

A user has been denied from joining your PI group, . +

A user has been denied from joining your PI group, . The details of the denied user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_removed.php b/resources/mail/group_user_removed.php index 83a1786e1..3c2a291a6 100644 --- a/resources/mail/group_user_removed.php +++ b/resources/mail/group_user_removed.php @@ -5,6 +5,6 @@

Hello,

-

You have been removed from the PI group .

+

You have been removed from the PI group .

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_removed_owner.php b/resources/mail/group_user_removed_owner.php index 2cff0e54c..5c798a586 100644 --- a/resources/mail/group_user_removed_owner.php +++ b/resources/mail/group_user_removed_owner.php @@ -7,18 +7,18 @@

A user has been removed from your PI group, -''. +''. The details of the removed user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_request.php b/resources/mail/group_user_request.php index ad40d215c..7bbbb2018 100644 --- a/resources/mail/group_user_request.php +++ b/resources/mail/group_user_request.php @@ -5,6 +5,6 @@

Hello,

-

You have requested to join the group .

+

You have requested to join the group .

If you believe this to be a mistake, please reply to this email as soon as possible.

diff --git a/resources/mail/group_user_request_owner.php b/resources/mail/group_user_request_owner.php index b2db8638a..cff157d9d 100644 --- a/resources/mail/group_user_request_owner.php +++ b/resources/mail/group_user_request_owner.php @@ -7,18 +7,18 @@

A user has requested to join your PI group, -''. +''. The details of the user are below:

-Username +Username
-Organization +Organization
-Name +Name
-Email +Email

You can approve or deny this user on the diff --git a/resources/mail/user_flag_added.php b/resources/mail/user_flag_added.php index 268d0e44f..d71ebe153 100644 --- a/resources/mail/user_flag_added.php +++ b/resources/mail/user_flag_added.php @@ -5,9 +5,9 @@

Hello,

Your account on the UnityHPC Platform has been activated. Your account details are below:

-Username +Username
-Organization +Organization

See the diff --git a/resources/mail/user_flag_added_admin.php b/resources/mail/user_flag_added_admin.php index 3a40153e9..41ee2dc79 100644 --- a/resources/mail/user_flag_added_admin.php +++ b/resources/mail/user_flag_added_admin.php @@ -3,35 +3,35 @@ case UserFlag::QUALIFIED: ?> Subject = "User Qualified"; ?>

Hello,

-

User "" has been qualified.

+

User "" has been qualified.

Subject = "User Ghosted"; ?>

Hello,

-

User "" has been marked as ghost.

+

User "" has been marked as ghost.

Subject = "User Locked"; ?>

Hello,

-

User "" has been locked.

+

User "" has been locked.

Subject = "User Idle Locked"; ?>

Hello,

-

User "" has been idle locked.

+

User "" has been idle locked.

Subject = "User Promoted"; ?>

Hello,

-

User "" has been promoted to admin.

+

User "" has been promoted to admin.

diff --git a/resources/mail/user_flag_removed_admin.php b/resources/mail/user_flag_removed_admin.php index 9df4d136c..09fce452c 100644 --- a/resources/mail/user_flag_removed_admin.php +++ b/resources/mail/user_flag_removed_admin.php @@ -3,35 +3,35 @@ case UserFlag::QUALIFIED: ?> Subject = "User Dequalified"; ?>

Hello,

-

User "" has been dequalified.

+

User "" has been dequalified.

Subject = "User Resurrected"; ?>

Hello,

-

User "" has been resurrected (no longer marked as ghost).

+

User "" has been resurrected (no longer marked as ghost).

Subject = "User Unlocked"; ?>

Hello,

-

User "" has been unlocked.

+

User "" has been unlocked.

Subject = "User Idle Unlocked"; ?>

Hello,

-

User "" has been idle unlocked.

+

User "" has been idle unlocked.

Subject = "User Demoted"; ?>

Hello,

-

User "" has been demoted from admin.

+

User "" has been demoted from admin.

diff --git a/resources/mail/user_loginshell.php b/resources/mail/user_loginshell.php index a86e82088..8d42026f5 100644 --- a/resources/mail/user_loginshell.php +++ b/resources/mail/user_loginshell.php @@ -5,7 +5,7 @@

Hello,

-

You have updated your login shell on the UnityHPC Platform to . +

You have updated your login shell on the UnityHPC Platform to . You can view the login shell settings on the page

diff --git a/resources/mail/user_sshkey.php b/resources/mail/user_sshkey.php index 8ec90a860..c8f78f5ca 100644 --- a/resources/mail/user_sshkey.php +++ b/resources/mail/user_sshkey.php @@ -10,7 +10,7 @@

$key"; + echo "
" . htmlspecialchars($key) . "
"; } ?>

From 648f4a7accdfbb6356ec173748a6ac0355fafde9 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 18:09:31 -0500 Subject: [PATCH 3/8] reorder --- webroot/admin/pi-mgmt.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php index 7913329f8..1b233c99e 100644 --- a/webroot/admin/pi-mgmt.php +++ b/webroot/admin/pi-mgmt.php @@ -69,8 +69,8 @@ $requests = $SQL->getRequests(UnitySQL::REQUEST_BECOME_PI); foreach ($requests as $request) { + $request_user = new UnityUser($request["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK); $uid = htmlspecialchars($request["uid"]); - $request_user = new UnityUser($uid, $LDAP, $SQL, $MAILER, $WEBHOOK); $gecos = htmlspecialchars($request_user->getFullname()); $mail = htmlspecialchars($request_user->getMail()); echo "

"; From d1ae202e17e1b3ad3f924336d9068e221304b674 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 18:11:35 -0500 Subject: [PATCH 4/8] rename vars --- webroot/admin/ajax/get_group_members.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/webroot/admin/ajax/get_group_members.php b/webroot/admin/ajax/get_group_members.php index cf99ea348..222d820de 100644 --- a/webroot/admin/ajax/get_group_members.php +++ b/webroot/admin/ajax/get_group_members.php @@ -26,12 +26,12 @@ } else { echo ""; } - $_uid = htmlspecialchars($uid); + $uid_escaped = htmlspecialchars($uid); $fullname = htmlspecialchars($attributes["gecos"][0]); $mail = htmlspecialchars($attributes["mail"][0]); - $gid = htmlspecialchars($group->gid); + $gid_escaped = htmlspecialchars($group->gid); echo ""; - echo ""; + echo ""; echo ""; echo ""; } $name = htmlspecialchars($user->getFullName()); - $uid = htmlspecialchars($user->uid); + $uid_escaped = htmlspecialchars($user->uid); $email = htmlspecialchars($user->getMail()); - $gid = htmlspecialchars($group->gid); + $gid_escaped = htmlspecialchars($group->gid); echo ""; - echo ""; + echo ""; echo ""; echo ""; From af08ee135389090fa7ec1b739745b90c200aedf2 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 18:39:10 -0500 Subject: [PATCH 5/8] mailto urlencode --- webroot/admin/ajax/get_group_members.php | 10 ++++++---- webroot/admin/pi-mgmt.php | 10 ++++++---- webroot/admin/user-mgmt.php | 5 +++-- webroot/panel/ajax/get_group_members.php | 14 ++++++++------ webroot/panel/groups.php | 21 ++++++++++++--------- webroot/panel/pi.php | 20 ++++++++++++-------- 6 files changed, 47 insertions(+), 33 deletions(-) diff --git a/webroot/admin/ajax/get_group_members.php b/webroot/admin/ajax/get_group_members.php index 222d820de..6ec52ce71 100644 --- a/webroot/admin/ajax/get_group_members.php +++ b/webroot/admin/ajax/get_group_members.php @@ -28,11 +28,12 @@ } $uid_escaped = htmlspecialchars($uid); $fullname = htmlspecialchars($attributes["gecos"][0]); - $mail = htmlspecialchars($attributes["mail"][0]); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); $gid_escaped = htmlspecialchars($group->gid); echo ""; echo ""; - echo ""; + echo ""; echo ""; echo ""; - echo ""; + echo ""; echo ""; echo ""; echo ""; - echo ""; + echo ""; echo ""; echo ""; echo ""; echo ""; - echo ""; + echo ""; echo ""; } ?> diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index a06cc8568..905ca3ed2 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -59,7 +59,8 @@ class="filterSearch" $uid = htmlspecialchars($attributes["uid"][0]); $gecos = htmlspecialchars($attributes["gecos"][0]); $org = htmlspecialchars($attributes["o"][0]); - $mail = htmlspecialchars($attributes["mail"][0]); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); if ($SQL->accDeletionRequestExists($uid)) { echo ""; } else { @@ -68,7 +69,7 @@ class="filterSearch" echo ""; echo ""; echo ""; - echo ""; + echo ""; echo "
$name
$fullname$_uid$uid_escaped$mail"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -40,13 +40,13 @@ action='' method='POST' onsubmit=' - return confirm(\"Are you sure you want to remove $_uid from this group?\"); + return confirm(\"Are you sure you want to remove $uid_escaped from this group?\"); ' > $CSRFTokenHiddenFormInput - - + + "; @@ -62,21 +62,21 @@ echo "
$name$uid$uid_escaped$email"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "
+ onsubmit='return confirm(\"Are you sure you want to approve $uid_escaped ?\");'> $CSRFTokenHiddenFormInput - - + +
"; echo "		$fullname$uid_escaped$mail$mail_display"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo " @@ -63,11 +64,12 @@ } $name = htmlspecialchars($user->getFullName()); $uid_escaped = htmlspecialchars($user->uid); - $email = htmlspecialchars($user->getMail()); + $mail_link = "mailto:" . urlencode($user->getMail()); + $mail_display = htmlspecialchars($user->getMail()); $gid_escaped = htmlspecialchars($group->gid); echo "$name$uid_escaped$email$mail_display"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo diff --git a/webroot/admin/pi-mgmt.php b/webroot/admin/pi-mgmt.php index 1b233c99e..0adfa3f0c 100644 --- a/webroot/admin/pi-mgmt.php +++ b/webroot/admin/pi-mgmt.php @@ -72,11 +72,12 @@ $request_user = new UnityUser($request["uid"], $LDAP, $SQL, $MAILER, $WEBHOOK); $uid = htmlspecialchars($request["uid"]); $gecos = htmlspecialchars($request_user->getFullname()); - $mail = htmlspecialchars($request_user->getMail()); + $mail_link = "mailto:" . urlencode($request_user->getMail()); + $mail_display = htmlspecialchars($request_user->getMail()); echo "
$gecos$uid$mail$mail_display" . date("jS F, Y", strtotime($request['timestamp'])) . ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -125,11 +126,12 @@ class="filterSearch" foreach ($owner_attributes as $attributes) { $gecos = htmlspecialchars($attributes["gecos"][0]); $gid = htmlspecialchars(UnityGroup::OwnerUID2GID($attributes["uid"][0])); - $mail = htmlspecialchars($attributes["mail"][0]); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); echo "
$gecos$uid$org$mail$mail_display"; if (count($UID2PIGIDs[$uid]) > 0) { echo ""; diff --git a/webroot/panel/ajax/get_group_members.php b/webroot/panel/ajax/get_group_members.php index 15c0b08a8..669a95e0b 100644 --- a/webroot/panel/ajax/get_group_members.php +++ b/webroot/panel/ajax/get_group_members.php @@ -23,12 +23,14 @@ } else { echo ""; } - $fullname = $attributes["gecos"][0]; - $mail = $attributes["mail"][0]; - echo ""; - echo ""; - echo ""; - echo ""; + $uid_escaped = htmlspecialchars($uid); + $gecos = htmlspecialchars($attributes["gecos"][0]); + $mail_link = "mailto:" . urlencode($attributes["mail"][0]); + $mail_display = htmlspecialchars($attributes["mail"][0]); + echo ""; + echo ""; + echo ""; + echo ""; echo ""; $i++; } diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php index d1a791232..0a2cff770 100644 --- a/webroot/panel/groups.php +++ b/webroot/panel/groups.php @@ -99,11 +99,12 @@ ); $requested_owner = $requested_account->getOwner(); $full_name = $requested_owner->getFirstname() . " " . $requested_owner->getLastname(); - $mail = $requested_owner->getMail(); + $mail_link = "mailto:" . urlencode($requested_owner->getMail()); + $mail_display = htmlspecialchars($requested_owner->getMail()); echo ""; echo ""; echo ""; - echo ""; + echo ""; echo ""; echo ""; - echo ""; - echo ""; - echo ""; + echo ""; + echo ""; + echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo ""; diff --git a/webroot/panel/pi.php b/webroot/panel/pi.php index ede562cc7..c6375131d 100644 --- a/webroot/panel/pi.php +++ b/webroot/panel/pi.php @@ -58,13 +58,14 @@ foreach ($requests as [$user, $timestamp]) { $uid = htmlspecialchars($user->uid); - $name = htmlspecialchars($user->getFullName()); - $email = htmlspecialchars($user->getMail()); + $gecos = htmlspecialchars($user->getFullName()); + $mail_link = "mailto:" . urlencode($user->getMail()); + $mail_display = htmlspecialchars($user->getMail()); $date = date("jS F, Y", strtotime($timestamp)); echo ""; - echo ""; + echo ""; echo ""; - echo ""; + echo ""; echo ""; echo ""; echo ""; - echo ""; - echo ""; - echo ""; + echo ""; + echo ""; + echo ""; echo ""; } From db2305a1f20057470b89d3669fc38417e463b9a9 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 18:49:14 -0500 Subject: [PATCH 6/8] dont use escaped value as array key --- webroot/admin/user-mgmt.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/webroot/admin/user-mgmt.php b/webroot/admin/user-mgmt.php index 905ca3ed2..68595ffa7 100644 --- a/webroot/admin/user-mgmt.php +++ b/webroot/admin/user-mgmt.php @@ -56,7 +56,8 @@ class="filterSearch" ); usort($user_attributes, fn ($a, $b) => strcmp($a["uid"][0], $b["uid"][0])); foreach ($user_attributes as $attributes) { - $uid = htmlspecialchars($attributes["uid"][0]); + $uid = $attributes["uid"][0]; + $uid_escaped = htmlspecialchars($uid); $gecos = htmlspecialchars($attributes["gecos"][0]); $org = htmlspecialchars($attributes["o"][0]); $mail_link = "mailto:" . urlencode($attributes["mail"][0]); @@ -67,7 +68,7 @@ class="filterSearch" echo ""; } echo ""; - echo ""; + echo ""; echo ""; echo ""; echo ""; From 8ad946e92b10f67b1f230a861f37838ec5b3bd68 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 19:03:08 -0500 Subject: [PATCH 7/8] consistently call it gecos --- webroot/admin/ajax/get_group_members.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webroot/admin/ajax/get_group_members.php b/webroot/admin/ajax/get_group_members.php index 6ec52ce71..a6312d032 100644 --- a/webroot/admin/ajax/get_group_members.php +++ b/webroot/admin/ajax/get_group_members.php @@ -27,11 +27,11 @@ echo ""; } $uid_escaped = htmlspecialchars($uid); - $fullname = htmlspecialchars($attributes["gecos"][0]); + $gecos = htmlspecialchars($attributes["gecos"][0]); $mail_link = "mailto:" . urlencode($attributes["mail"][0]); $mail_display = htmlspecialchars($attributes["mail"][0]); $gid_escaped = htmlspecialchars($group->gid); - echo ""; + echo ""; echo ""; echo ""; echo ""; } - $name = htmlspecialchars($user->getFullName()); + $gecos = htmlspecialchars($user->getFullName()); $uid_escaped = htmlspecialchars($user->uid); $mail_link = "mailto:" . urlencode($user->getMail()); $mail_display = htmlspecialchars($user->getMail()); $gid_escaped = htmlspecialchars($group->gid); - echo ""; + echo ""; echo ""; echo ""; echo ""; - echo ""; + echo ""; echo ""; echo ""; echo ""; @@ -110,7 +111,7 @@ $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo " $CSRFTokenHiddenFormInput - + "; @@ -151,21 +152,21 @@ continue; } $gecos = htmlspecialchars($owner->getFullname()); - $gid = htmlspecialchars($group->gid); + $gid_escaped = htmlspecialchars($group->gid); $mail_link = "mailto:" . urlencode($owner->getMail()); $mail_display = htmlspecialchars($owner->getMail()); echo ""; echo ""; - echo ""; + echo ""; echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "";
$fullname$uid$mail$gecos$uid_escaped$mail_display
$full_name" . $requested_account->gid . "$mail$mail_display" . date("jS F, Y", strtotime($request['timestamp'])) . ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -146,23 +147,25 @@ foreach ($PIGroupGIDs as $gid) { $group = new UnityGroup($gid, $LDAP, $SQL, $MAILER, $WEBHOOK); $owner = $group->getOwner(); - $full_name = $owner->getFirstname() . " " . $owner->getLastname(); if ($USER->uid == $owner->uid) { continue; } - + $gecos = htmlspecialchars($owner->getFullname()); + $gid = htmlspecialchars($group->gid); + $mail_link = "mailto:" . urlencode($owner->getMail()); + $mail_display = htmlspecialchars($owner->getMail()); echo "
$name$gecos$uid$email$mail_display$date"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -96,7 +97,10 @@ if ($assoc->uid == $USER->uid) { continue; } - + $uid = htmlspecialchars($assoc->uid); + $gecos = htmlspecialchars($assoc->getFullName()); + $mail_link = "mailto:" . urlencode($assoc->getMail()); + $mail_display = htmlspecialchars($assoc->getMail()); echo "
"; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); @@ -114,9 +118,9 @@ > "; echo "" . $assoc->getFirstname() . " " . $assoc->getLastname() . "" . $assoc->uid . "" . $assoc->getMail() . "$gecos$uid$mail_display
$gecos$uid$uid_escaped$org$mail_display"; @@ -82,10 +83,10 @@ class="filterSearch" echo ""; $CSRFTokenHiddenFormInput = UnityHTTPD::getCSRFTokenHiddenFormInput(); echo "
+ onsubmit='return confirm(\"Are you sure you want to switch to the user $uid_escaped?\");'> $CSRFTokenHiddenFormInput - +
"; echo "
$fullname$gecos$uid_escaped$mail_display"; @@ -62,12 +62,12 @@ } else { echo "
$name$gecos$uid_escaped$mail_display"; From acb5a1fa90e8eacf2688140e0cc13ef217ee8c92 Mon Sep 17 00:00:00 2001 From: Simon Leary Date: Mon, 22 Dec 2025 19:03:33 -0500 Subject: [PATCH 8/8] missed a spot --- webroot/panel/groups.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/webroot/panel/groups.php b/webroot/panel/groups.php index 0a2cff770..580c32fe1 100644 --- a/webroot/panel/groups.php +++ b/webroot/panel/groups.php @@ -98,11 +98,12 @@ $WEBHOOK ); $requested_owner = $requested_account->getOwner(); - $full_name = $requested_owner->getFirstname() . " " . $requested_owner->getLastname(); + $gecos = htmlspecialchars($requested_owner->getFullname()); $mail_link = "mailto:" . urlencode($requested_owner->getMail()); $mail_display = htmlspecialchars($requested_owner->getMail()); + $gid = htmlspecialchars($requested_account->gid); echo "
$full_name$gecos" . $requested_account->gid . "$mail_display" . date("jS F, Y", strtotime($request['timestamp'])) . "