Skip to content

hardening: escape unescaped DB values in HTML output (72 XSS sites) #89

Description

@somethingwithproof

Findings (validated by xAI Grok security review)

Stored XSS via unescaped DB output (MEDIUM)

72 instances in mikrotik.php where $row values are printed directly into HTML without html_escape(). Examples:

  • mikrotik.php:471-476: RxBytes, TxBytes, RxPackets, TxPackets, RxErrors, TxErrors
  • mikrotik.php:770-773: BytesIn, BytesOut, PacketsIn, PacketsOut

While these are numeric values passed through mikrotik_memory(), any string-type DB columns output without escaping are XSS vectors.

Recommended fix

Audit all print statements outputting DB values and add html_escape() where the value could contain user-controlled strings.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions