Merge remote-tracking branch 'upstream/bug/xss-vuln-patch' into relea…

…se-3.1.8
bluecherrydvr · Dec 18, 2024 · 2663e5b · 2663e5b
2 parents c9249f2 + b98a6c0
commit 2663e5b
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 2 deletions.
diff --git a/scripts/check_dir_permission.sh b/scripts/check_dir_permission.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+set -euo pipefail
 
 # Script to change permissions and ownership of a directory, with enhanced safety checks
 

diff --git a/www/template/ajax/storage.php b/www/template/ajax/storage.php
@@ -37,7 +37,7 @@
                             <label class="control-label"><?php echo LOCATION; ?></label>
                         </td>
                         <td class="col-lg-6 col-md-6 col-sm-6 col-xs-6">
-                            <input class="form-control storage-path" name="path[]" type="text" value="<?php echo $location['path']; ?>" />
+                            <input class="form-control storage-path" name="path[]" type="text" value="<?php echo htmlspecialchars($location['path']); ?>" />
                         </td>
                         <td class="col-lg-1 col-md-1 col-sm-1 col-xs-1 align-right">
                             <label class="control-label">Max:</label>

diff --git a/www/template/main_viewer.php b/www/template/main_viewer.php
@@ -27,7 +27,7 @@
         <?php
         $layouts =  (!empty($lv->layout_list[0])) ? $lv->layout_list : array(NO_SAVED_LAYOUTS);
         foreach ($layouts as $key => $layout){
-            echo "<li>".(($layout==NO_SAVED_LAYOUTS) ? "<a class='disabled'>{$layouts[0]}</a>" : "<a href='#load' class='{$layout['layout_name']}'>{$layout['layout_name']}")."</a></li>";
+            echo "<li>".(($layout==NO_SAVED_LAYOUTS) ? "<a class='disabled'>{$layouts[0]}</a>" : "<a href='#load' class='{".htmlspecialchars($layout['layout_name'])."}'>{".htmlspecialchars($layout['layout_name'])."}")."</a></li>";
         }
 
         ?>