From 8745d098902f76ef7771405a035b82ac0dcafd52 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Tue, 10 Jun 2025 12:11:58 -0400 Subject: [PATCH] Add sanitize the remaining uris that allow uri type:// refactored service details --- ajax/ajax_asset_details.php | 4 +- ajax/ajax_credential_edit.php | 6 +- ajax/ajax_service_details.php | 338 ++++++++++++---------------------- asset_details.php | 4 +- credentials.php | 6 +- 5 files changed, 128 insertions(+), 230 deletions(-) diff --git a/ajax/ajax_asset_details.php b/ajax/ajax_asset_details.php index ec378459..4accc12d 100644 --- a/ajax/ajax_asset_details.php +++ b/ajax/ajax_asset_details.php @@ -300,10 +300,10 @@ ob_start();
-
+
-
+
diff --git a/ajax/ajax_credential_edit.php b/ajax/ajax_credential_edit.php index ea132dfe..3b25b61e 100644 --- a/ajax/ajax_credential_edit.php +++ b/ajax/ajax_credential_edit.php @@ -12,6 +12,8 @@ $credential_name = nullable_htmlentities($row['credential_name']); $credential_description = nullable_htmlentities($row['credential_description']); $credential_uri = nullable_htmlentities($row['credential_uri']); $credential_uri_2 = nullable_htmlentities($row['credential_uri_2']); +$credential_uri_link = sanitize_url($row['credential_uri']); +$credential_uri_2_link = sanitize_url($row['credential_uri_2']); $credential_username = nullable_htmlentities(decryptCredentialEntry($row['credential_username'])); $credential_password = nullable_htmlentities(decryptCredentialEntry($row['credential_password'])); $credential_otp_secret = nullable_htmlentities($row['credential_otp_secret']); @@ -137,7 +139,7 @@ ob_start();
- +
@@ -153,7 +155,7 @@ ob_start();
- +
diff --git a/ajax/ajax_service_details.php b/ajax/ajax_service_details.php index 3c26234a..8c386fba 100644 --- a/ajax/ajax_service_details.php +++ b/ajax/ajax_service_details.php @@ -5,7 +5,6 @@ require_once '../includes/ajax_header.php'; $service_id = intval($_GET['id']); $sql = mysqli_query($mysqli, "SELECT * FROM services WHERE service_id = $service_id LIMIT 1"); - $row = mysqli_fetch_array($sql); $service_name = nullable_htmlentities($row['service_name']); $service_description = nullable_htmlentities($row['service_description']); @@ -17,6 +16,7 @@ $service_created_at = nullable_htmlentities($row['service_created_at']); $service_updated_at = nullable_htmlentities($row['service_updated_at']); $service_review_due = nullable_htmlentities($row['service_review_due']); $client_id = intval($row['service_client_id']); + // Service Importance if ($service_importance == "High") { $service_importance_display = "$service_importance"; @@ -55,6 +55,7 @@ $sql_domains = mysqli_query( LEFT JOIN domains ON service_domains.domain_id = domains.domain_id WHERE service_id = $service_id" ); + // Associated Certificates $sql_certificates = mysqli_query( $mysqli, @@ -63,10 +64,6 @@ $sql_certificates = mysqli_query( WHERE service_id = $service_id" ); -// Associated URLs ---- REMOVED for now -//$sql_urls = mysqli_query($mysqli, "SELECT * FROM service_urls -//WHERE service_id = '$service_id'"); - // Associated Vendors $sql_vendors = mysqli_query( $mysqli, @@ -116,149 +113,99 @@ ob_start(); 0) { ?> -
Assets
- - 0) { + echo "
Assets
"; } ?> -
Networks
- - -
Locations
- - 0) { ?> -
Domains
-
-
@@ -267,148 +214,96 @@ ob_start(); 0) { ?> -
Vendors
- - 0) { + echo "
Vendors
    "; + mysqli_data_seek($sql_vendors, 0); + while ($row = mysqli_fetch_array($sql_vendors)) { + $vendor_id = intval($row['vendor_id']); + $vendor_name = nullable_htmlentities($row['vendor_name']); + echo "
  • $vendor_name
    • "; + } + echo "
"; } ?> 0) { ?> -
Contacts
- - 0) { + echo "
Contacts
    "; + mysqli_data_seek($sql_contacts, 0); + while ($row = mysqli_fetch_array($sql_contacts)) { + $contact_id = intval($row['contact_id']); + $contact_name = nullable_htmlentities($row['contact_name']); + echo "
  • $contact_name
    • "; + } + echo "
"; } ?> 0 || mysqli_num_rows($sql_credentials) > 0) { ?> -
Credentials
-
    - $row[credential_name]"; - } + if (mysqli_num_rows($sql_assets) > 0 || mysqli_num_rows($sql_credentials) > 0) { + echo "
    Credentials
      "; + // Credentials linked to assets + mysqli_data_seek($sql_assets, 0); + while ($row = mysqli_fetch_array($sql_assets)) { + $credential_name = nullable_htmlentities($row['credential_name']); + if (!empty($credential_name)) { + echo "
    • $credential_name
      • "; } - - // Showing explicitly linked credentials - while ($row = mysqli_fetch_array($sql_credentials)) { - if (!empty($row['credential_name'])) { - echo "
    • $row[credential_name]
      • "; - } + } + // Explicitly linked credentials + mysqli_data_seek($sql_credentials, 0); + while ($row = mysqli_fetch_array($sql_credentials)) { + $credential_name = nullable_htmlentities($row['credential_name']); + if (!empty($credential_name)) { + echo "
    • $credential_name
      • "; } - ?> -
    - "; } ?> -
    URLs
    -
      - $row[credential_uri]"; - } - } - - // Reset the $sql_assets pointer to the start - mysqli_data_seek($sql_assets, 0); - - // Show URLs linked to assets, that also have credentials - while ($row = mysqli_fetch_array($sql_assets)) { - if (!empty($row['credential_uri'])) { - echo "
    • $row[credential_uri]
      • "; - } - } - ?> -
    - URLs
      "; + foreach ($urls as $url) { + $label = htmlspecialchars(parse_url($url, PHP_URL_HOST) ?: $url); + echo "
    • $label
      • "; + } + echo "
    "; } ?> 0) { ?> -
    Documents
    - - 0) { + echo "
    Documents
      "; + mysqli_data_seek($sql_docs, 0); + while ($row = mysqli_fetch_array($sql_docs)) { + $document_id = intval($row['document_id']); + $document_name = nullable_htmlentities($row['document_name']); + echo "
    • $document_name
      • "; + } + echo "
    "; } ?> - - - - -
@@ -416,3 +311,4 @@ ob_start(); diff --git a/asset_details.php b/asset_details.php index 632c87b2..3e8deaf0 100644 --- a/asset_details.php +++ b/asset_details.php @@ -292,10 +292,10 @@ if (isset($_GET['asset_id'])) {
-
+
-
+
diff --git a/credentials.php b/credentials.php index 5a88e058..bb74060b 100644 --- a/credentials.php +++ b/credentials.php @@ -300,13 +300,13 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()")); $credential_id = intval($row['c_credential_id']); $credential_name = nullable_htmlentities($row['credential_name']); $credential_description = nullable_htmlentities($row['credential_description']); - $credential_uri = nullable_htmlentities($row['credential_uri']); + $credential_uri = sanitize_url($row['credential_uri']); if (empty($credential_uri)) { $credential_uri_display = "-"; } else { - $credential_uri_display = truncate($credential_uri,40) . ""; + $credential_uri_display = "" . truncate($credential_uri,40) . ""; } - $credential_uri_2 = nullable_htmlentities($row['credential_uri_2']); + $credential_uri_2 = sanitize_url($row['credential_uri_2']); $credential_username = nullable_htmlentities(decryptCredentialEntry($row['credential_username'])); if (empty($credential_username)) { $credential_username_display = "-";