From 74434e5ca3fb66018fad60766f833f15689fcbfc Mon Sep 17 00:00:00 2001
From: Deon George <wurley@users.sf.net>
Date: Mon, 3 Sep 2012 07:16:34 +1000
Subject: [PATCH] SF Bug #3497660 - XSS flaws via 'export', 'add_value_form'
 and 'dn' variables

---
 htdocs/add_value_form.php |  2 +-
 htdocs/export.php         |  4 ++--
 lib/export_functions.php  | 16 ++++++++--------
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/htdocs/add_value_form.php b/htdocs/add_value_form.php
index 790b639..c30f348 100644
--- a/htdocs/add_value_form.php
+++ b/htdocs/add_value_form.php
@@ -34,7 +34,7 @@ if ($request['attribute']->isReadOnly())
 # Render the form
 if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST') != 'ajax') {
 	# Render the form.
-	$request['page']->drawTitle(sprintf('%s <b>%s</b> %s <b>%s</b>',_('Add new'),$request['attr'],_('value to'),get_rdn($request['dn'])));
+	$request['page']->drawTitle(sprintf('%s <b>%s</b> %s <b>%s</b>',_('Add new'),htmlspecialchars($request['attr']),_('value to'),htmlspecialchars(get_rdn($request['dn']))));
 	$request['page']->drawSubTitle();
 
 	if (! strcasecmp($request['attr'],'objectclass')) {
diff --git a/htdocs/export.php b/htdocs/export.php
index ece7edf..cc1096b 100755
--- a/htdocs/export.php
+++ b/htdocs/export.php
@@ -29,12 +29,12 @@ if ($request['file']) {
 
 	header('Content-type: application/download');
 	header(sprintf('Content-Disposition: inline; filename="%s.%s"','export',$types['extension'].($request['export']->isCompressed() ? '.gz' : '')));
-	$request['export']->export();
+	echo $request['export']->export();
 	die();
 
 } else {
 	print '<span style="font-size: 14px; font-family: courier;"><pre>';
-	$request['export']->export();
+	echo htmlspecialchars($request['export']->export());
 	print '</pre></span>';
 }
 ?>
diff --git a/lib/export_functions.php b/lib/export_functions.php
index 076b6a6..e8c2f76 100644
--- a/lib/export_functions.php
+++ b/lib/export_functions.php
@@ -324,9 +324,9 @@ class ExportCSV extends Export {
 		}
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 
 	/**
@@ -428,9 +428,9 @@ class ExportDSML extends Export {
 		$output .= sprintf('</dsml>%s',$this->br);
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }
 
@@ -506,9 +506,9 @@ class ExportLDIF extends Export {
 		}
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 
 	/**
@@ -633,9 +633,9 @@ class ExportVCARD extends Export {
 		}
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }
 ?>