fix(ncp-web): prevent XSS via log output and undefined array key warning (#2101)

theCalcaholic · aroldobossoni · web-flow · commit efeec6a7a2dc · 2026-04-03T20:06:39.000+02:00
This commit addresses two issues in the NextCloudPi web panel:

1. HTML injection via ncp.log content (XSS vulnerability)
   - When /var/log/ncp.log contains HTML-like content (e.g., &lt;strftime_format&gt;
     from certain backup operations), the unescaped output breaks the HTML parser
   - This causes the browser to ignore subsequent &lt;script&gt; tags, preventing
     minified.js and ncp.js from loading
   - Result: the dashboard never loads and shows infinite "System Info" spinner
   - Fix: wrap file_get_contents() with htmlspecialchars() in index.php line 290

2. PHP warning for undefined HTTP_ACCEPT_LANGUAGE
   - When requests lack Accept-Language header (e.g., API calls, curl),
     PHP emits "Undefined array key" warning
   - This warning can corrupt JSON responses from ncp-launcher.php
   - Fix: use null coalescing operator (?? '') in both index.php and
     ncp-launcher.php

Tested on NextCloudPi running in LXC container on Proxmox.

Made-with: Cursor

Co-authored-by: Aroldo de Mattos Bossoni &lt;github@bossone.com.br&gt;
diff --git a/ncp-web/index.php b/ncp-web/index.php
@@ -65,7 +65,7 @@
 <?php
   require("L10N.php");
   try {
-    $l = new L10N($_SERVER["HTTP_ACCEPT_LANGUAGE"], $l10nDir, $modules_path);
+    $l = new L10N(($_SERVER["HTTP_ACCEPT_LANGUAGE"] ?? ''), $l10nDir, $modules_path);
   } catch (Exception $e) {
     die("<p class='error'>Error while loading localizations!</p>");
   }
@@ -287,7 +287,7 @@
         <div id="logs-wrapper" class="content-box <?php if(!array_key_exists('app',$_GET) || (array_key_exists('app',$_GET) && $_GET['app'] != 'logs')) echo 'hidden';?>">
           <h2 class="text-title"><?php echo $l->__("NextcloudPi logs"); ?></h2>
           <div id="logs-content" class="table-wrapper">
-            <div id="logs-details-box" class="outputbox"><?php echo str_replace(array("\r\n", "\n", "\r"), '<br/>', file_get_contents('/var/log/ncp.log')) ?></div>
+            <div id="logs-details-box" class="outputbox"><?php echo str_replace(array("\r\n", "\n", "\r"), '<br/>', htmlspecialchars(file_get_contents('/var/log/ncp.log'), ENT_QUOTES, 'UTF-8')) ?></div>
             <div id="log-download-btn-wrapper"><input id="log-download-btn" type="button" value="Download"/></div>
           </div>
   </div>
diff --git a/ncp-web/ncp-launcher.php b/ncp-web/ncp-launcher.php
@@ -21,7 +21,7 @@
 //
 require("L10N.php");
 try {
-  $l = new L10N($_SERVER["HTTP_ACCEPT_LANGUAGE"], $l10nDir, $cfg_dir);
+  $l = new L10N(($_SERVER["HTTP_ACCEPT_LANGUAGE"] ?? ''), $l10nDir, $cfg_dir);
 } catch (Exception $e) {
   die(json_encode("<p class='error'>Error while loading localizations!</p>"));
 }

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@`
`21`	`21`	`//`
`22`	`22`	`require("L10N.php");`
`23`	`23`	`try {`
`24`		`- $l = new L10N($_SERVER["HTTP_ACCEPT_LANGUAGE"], $l10nDir, $cfg_dir);`
	`24`	`+ $l = new L10N(($_SERVER["HTTP_ACCEPT_LANGUAGE"] ?? ''), $l10nDir, $cfg_dir);`
`25`	`25`	`} catch (Exception $e) {`
`26`	`26`	`die(json_encode("<p class='error'>Error while loading localizations!</p>"));`
`27`	`27`	`}`