Description: CVE-2018-8763
 XSS vulnerabilities CVE-2018-8763
Author: Roland Gruber <post@rolandgruber.de>
Applied-Upstream: 6.3
Last-Update: 2018-03-28

--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/add_attr_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/add_attr_form.php
@@ -17,7 +17,7 @@ $request['dn'] = get_request('dn','GET')
 
 # Check if the entry exists.
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null));
 $request['page']->setDN($request['dn']);
@@ -100,7 +100,7 @@ if (get_request('meth','REQUEST') != 'aj
 					echo '<input type="hidden" name="cmd" value="update" />';
 
 				printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-				printf('<input type="hidden" name="dn" value="%s" />',$request['dn']);
+				printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
 				echo '<input type="hidden" name="binary" value="true" />';
 
 				echo '<select name="single_item_attr">';
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/add_oclass_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/add_oclass_form.php
@@ -21,7 +21,7 @@ $request['dn'] = get_request('dn','REQUE
 
 # Check if the entry exists.
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null));
 $request['page']->setDN($request['dn']);
@@ -57,7 +57,7 @@ foreach ($ldap['attrs']['need'] as $inde
 	$ldap['attrs']['need'][$index]->show();
 
 if (count($ldap['attrs']['need']) > 0) {
-	$request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),get_rdn($request['dn'])));
+	$request['page']->drawTitle(sprintf(_('Add new object class to <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
 	$request['page']->drawSubTitle();
 
 	echo '<div style="text-align: center">';
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/add_value_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/add_value_form.php
@@ -19,7 +19,7 @@ $request['attr'] = get_request('attr','G
 
 # Check if the entry exists.
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $request['page'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null));
 $request['page']->setDN($request['dn']);
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/compare.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/compare.php
@@ -21,10 +21,10 @@ $ldap['SRC'] = $_SESSION[APPCONFIG]->get
 $ldap['DST'] = $_SESSION[APPCONFIG]->getServer(get_request('server_id_dst'));
 
 if (! $ldap['SRC']->dnExists($request['dnSRC']))
-	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn($request['dnSRC'])),'error','index.php');
+	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn(htmlspecialchars($request['dnSRC']))),'error','index.php');
 
 if (! $ldap['DST']->dnExists($request['dnDST']))
-	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn($request['dnDST'])),'error','index.php');
+	error(sprintf('%s (%s)',_('No such entry.'),pretty_print_dn(htmlspecialchars($request['dnDST']))),'error','index.php');
 
 $request['pageSRC'] = new PageRender($ldap['SRC']->getIndex(),get_request('template','REQUEST',false,'none'));
 $request['pageSRC']->setDN($request['dnSRC']);
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/compare_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/compare_form.php
@@ -18,19 +18,19 @@ $request['dn'] = get_request('dn','GET')
 
 # Check if the entry exists.
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
 $request['page']->setDN($request['dn']);
 $request['page']->accept();
 
 # Render the form
-$request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf(_('Compare another DN with <b>%s</b>'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
 echo '<div style="text-align: center;">';
-printf('%s <b>%s</b> %s<br />',_('Compare'),get_rdn($request['dn']),_('with '));
+printf('%s <b>%s</b> %s<br />',_('Compare'),htmlspecialchars(get_rdn($request['dn'])),_('with '));
 echo '</div>';
 
 echo '<form action="cmd.php" method="post" id="compare_form">';
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/copy.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/copy.php
@@ -28,11 +28,11 @@ if ($ldap['DST']->isReadOnly())
 	error(('Destination server is currently READ-ONLY.'),'error','index.php');
 
 if ($ldap['DST']->dnExists($request['dnDST']))
-	error(sprintf(_('The destination entry (%s) already exists.'),pretty_print_dn($request['dnDST'])),'error','index.php');
+	error(sprintf(_('The destination entry (%s) already exists.'),pretty_print_dn(htmlspecialchars($request['dnDST']))),'error','index.php');
 
 if (! $ldap['DST']->dnExists($ldap['DST']->getContainer($request['dnDST'])))
 	error(sprintf(_('The container you specified (%s) does not exist. Please try again.'),
-		pretty_print_dn($ldap['DST']->getContainer($request['dnDST']))),'error','index.php');
+		pretty_print_dn(htmlspecialchars($ldap['DST']->getContainer($request['dnDST'])))),'error','index.php');
 
 if (pla_compare_dns($request['dnSRC'],$request['dnDST']) == 0 && $ldap['SRC']->getIndex() == $ldap['DST']->getIndex())
 	error(_('The source and destination DN are the same.'),'error','index.php');
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/copy_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/copy_form.php
@@ -17,19 +17,19 @@ $request['dn'] = get_request('dn','GET')
 
 # Check if the entry exists.
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
 $request['page']->setDN($request['dn']);
 $request['page']->accept();
 
 # Render the form
-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Copy'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 printf('<script type="text/javascript" src="%sdnChooserPopup.js"></script>',JSDIR);
 echo '<div style="text-align: center;">';
-printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn']));
+printf(_('Copy <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
 echo '</div>';
 
 echo '<form action="cmd.php" method="post" id="copy_form">';
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/delete.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/delete.php
@@ -16,7 +16,7 @@ $request = array();
 $request['dn'] = get_request('dn','REQUEST',true);
 
 if (! $app['server']->dnExists($request['dn']))
-	error(sprintf('%s (%s)',_('No such entry.'),'<b>'.pretty_print_dn($request['dn']).'</b>'),'error','index.php');
+	error(sprintf('%s (%s)',_('No such entry.'),'<b>'.pretty_print_dn(htmlspecialchars($request['dn'])).'</b>'),'error','index.php');
 
 # Delete the entry.
 $result = $app['server']->delete($request['dn']);
@@ -29,12 +29,12 @@ if ($result) {
 
 	system_message(array(
 		'title'=>_('Delete DN'),
-		'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',$request['dn']),
+		'body'=>sprintf('<b>' . _('Successfully deleted DN %s') . '</b>',htmlspecialchars($request['dn'])),
 		'type'=>'info'),
 		sprintf('index.php?server_id=%s%s',$app['server']->getIndex(),$redirect_url));
 } else
 	system_message(array(
-		'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])),
+		'title'=>_('Could not delete the entry.').sprintf(' (%s)',htmlspecialchars(pretty_print_dn($request['dn']))),
 		'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
 		'type'=>'error'));
 ?>
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/delete_attr.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/delete_attr.php
@@ -17,7 +17,7 @@ $request['attr'] = get_request('attr','R
 $request['index'] = get_request('index','REQUEST',true);
 
 if ($app['server']->isAttrReadOnly($request['attr']))
-	error(sprintf(('The attribute "%s" is flagged as read-only in the phpLDAPadmin configuration.'),$request['attr']),'error','index.php');
+	error(sprintf(('The attribute "%s" is flagged as read-only in the phpLDAPadmin configuration.'),htmlspecialchars($request['attr'])),'error','index.php');
 
 $update_array = array();
 $update_array[$request['attr']] = $app['server']->getDNAttrValue($request['dn'],$request['attr']);
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/delete_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/delete_form.php
@@ -24,15 +24,15 @@ $request['template'] = $request['page']-
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
 	system_message(array(
 		'title'=>_('Entry does not exist'),
-		'body'=>sprintf(_('The entry (%s) does not exist.'),$request['dn']),
+		'body'=>sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),
 		'type'=>'error'),'index.php');
 
 # We search all children, not only the visible children in the tree
 $request['children'] = $app['server']->getContainerContents($request['dn'],null,0,'(objectClass=*)',LDAP_DEREF_NEVER);
 
-printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(get_rdn($request['dn'])));
+printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(htmlspecialchars(get_rdn($request['dn']))));
 printf('<h3 class="subtitle">%s: <b>%s</b></h3>',
-	_('DN'),$request['dn']);
+	_('DN'),htmlspecialchars($request['dn']));
 echo "\n";
 
 echo '<center>';
@@ -109,7 +109,7 @@ if (count($request['children'])) {
 
 	printf('<tr><td style="width: 10%%;">%s:</td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',_('Server'),$app['server']->getName());
 	printf('<tr><td style="width: 10%%;"><acronym title="%s">%s</acronym></td><td colspan="3" style="width: 75%%;"><b>%s</b></td></tr>',
-		_('DN'),_('DN'),$request['dn']);
+		_('DN'),_('DN'),htmlspecialchars($request['dn']));
 	echo '<tr><td colspan="4">&nbsp;</td></tr>';
 	echo "\n";
 
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/download_binary_attr.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/download_binary_attr.php
@@ -21,7 +21,7 @@ $request['type'] = get_request('type','G
 $request['filename'] = get_request('filename','GET',false,sprintf('%s:%s.bin',get_rdn($request['dn'],true),$request['attr']));
 
 if (! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $search = $app['server']->getDNAttrValues($request['dn'],null,LDAP_DEREF_NEVER,array($request['attr']));
 
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/modify_member_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/modify_member_form.php
@@ -54,7 +54,7 @@ foreach ($app['server']->getBaseDN() as
 
 usort($possible_values,'pla_compare_dns');
 
-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Modify group'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 printf(_('There are <b>%s</b> members in group <b>%s</b>:'),
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/rdelete.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/rdelete.php
@@ -44,7 +44,7 @@ foreach ($request['parent'] as $dn) {
 
 	} else {
 		system_message(array(
-			'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])),
+			'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn(htmlspecialchars($request['dn']))),
 			'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),
 			'type'=>'error'));
 	}
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/rename_form.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/rename_form.php
@@ -21,17 +21,17 @@ $request['page']->setDN($request['dn']);
 $request['page']->accept();
 
 # Render the form
-$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),get_rdn($request['dn'])));
+$request['page']->drawTitle(sprintf('%s <b>%s</b>',_('Rename'),htmlspecialchars(get_rdn($request['dn']))));
 $request['page']->drawSubTitle();
 
 echo '<center>';
-printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',get_rdn($request['dn']));
+printf(_('Rename <b>%s</b> to a new object.') . '<br /><br />',htmlspecialchars(get_rdn($request['dn'])));
 
 echo '<form action="cmd.php?cmd=rename" method="post" />';
 printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
 printf('<input type="hidden" name="dn" value="%s" />',rawurlencode($request['dn']));
-printf('<input type="hidden" name="template" value="%s" />',$request['template']);
-printf('<input type="text" name="new_rdn" size="30" value="%s" />',get_rdn($request['dn']));
+printf('<input type="hidden" name="template" value="%s" />',htmlspecialchars($request['template']));
+printf('<input type="text" name="new_rdn" size="30" value="%s" />',htmlspecialchars(get_rdn($request['dn'])));
 printf('<input type="submit" value="%s" />',_('Rename'));
 echo '</form>';
 
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/template_engine.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/template_engine.php
@@ -42,7 +42,7 @@ $request['page'] = new TemplateRender($a
 # If we have a DN, then this is to edit the entry.
 if ($request['dn']) {
 	$app['server']->dnExists($request['dn'])
-		or error(sprintf('%s (%s)',_('No such entry'),pretty_print_dn($request['dn'])),'error','index.php');
+		or error(sprintf('%s (%s)',_('No such entry'),pretty_print_dn(htmlspecialchars($request['dn']))),'error','index.php');
 
 	$request['page']->setDN($request['dn']);
 	$request['page']->accept();
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/update.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/update.php
@@ -24,7 +24,7 @@ if (get_request('cancel','REQUEST')) {
 }
 
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
 $request['page']->setDN($request['dn']);
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/update_confirm.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/update_confirm.php
@@ -20,7 +20,7 @@ $request = array();
 $request['dn'] = get_request('dn','REQUEST',true);
 
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
-	error(sprintf(_('The entry (%s) does not exist.'),$request['dn']),'error','index.php');
+	error(sprintf(_('The entry (%s) does not exist.'),htmlspecialchars($request['dn'])),'error','index.php');
 
 $request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
 $request['page']->setDN($request['dn']);
--- ldap-account-manager-5.5.orig/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
+++ ldap-account-manager-5.5/templates/3rdParty/pla/htdocs/view_jpeg_photo.php
@@ -18,7 +18,7 @@ $request['dn'] = get_request('dn','GET')
 $request['attr'] = strtolower(get_request('attr','GET',false,'jpegphoto'));
 $request['index'] = get_request('index','GET',false,0);
 $request['type'] = get_request('type','GET',false,'image/jpeg');
-$request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',get_rdn($request['dn'],true)));
+$request['filename'] = get_request('filename','GET',false,sprintf('%s.jpg',htmlspecialchars(get_rdn($request['dn'],true))));
 $request['location'] = get_request('location','GET',false,'ldap');
 
 switch ($request['location']) {
--- ldap-account-manager-5.5.orig/templates/masscreate.php
+++ ldap-account-manager-5.5/templates/masscreate.php
@@ -117,7 +117,7 @@ if (isset($_POST['type'])) {
 // show start page
 $divClass = 'user';
 if (isset($_REQUEST['type'])) {
-	$divClass = $_REQUEST['type'];
+	$divClass = htmlspecialchars($_REQUEST['type']);
 }
 echo '<div class="' . $divClass . '-bright smallPaddingContent">';
 echo "<div class=\"title\">\n";
