From 3055fec1b6160c0bbd84d8d058861edb3c1f5d84 Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri, 10 Oct 2025 19:31:50 +0000
Subject: [PATCH] qos.cgi: Fixes bug 13885

commit 32f22c92e19c2d94c5f0b667f27e7a5ccd65ac61
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Thu Sep 25 13:12:45 2025 +0200

    qos.cgi: Fixes bug 13885

    Fixes: bug 13885 - qos.cgi INC_SPD OUT_SPD DEFCLASS_INC DEFCLASS_OUT Stored Cross-Site Scripting
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit a0d7f366c9ba343e519868da240417b028af88ea
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Wed Aug 7 16:35:02 2024 +0200

    qos.cgi: Make all tables use the full width

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 html/cgi-bin/qos.cgi | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index f3bbd1bf4..8400bafdf 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -652,7 +652,7 @@ if ($errormessage) {
 
 print <<END
   <form method='post' action='$ENV{'SCRIPT_NAME'}'>
-	<table width='66%'>
+	<table width='100%'>
 END
 ;
 	if ( $message ne "" ) {
@@ -671,9 +671,11 @@ END
 END
 ;
 	if (($qossettings{'OUT_SPD'} ne '') && ($qossettings{'INC_SPD'} ne '')) {
+		$qossettings{'OUT_SPD'} = &Header::escape($qossettings{'OUT_SPD'});
+		$qossettings{'INC_SPD'} = &Header::escape($qossettings{'INC_SPD'});
 		print <<END
     <form method='post' action='$ENV{'SCRIPT_NAME'}'>
-	  <table width='66%'>
+	  <table width='100%'>
 		<tr><td colspan='3'>&nbsp;
 		<tr><td width='50%' align='right'>$Lang::tr{'downlink speed'}: 	<td width='30%' align='left'>$qossettings{'INC_SPD'}
 		    <td width='20%' rowspan='2' align='center' valign='middle'><input type='submit' name='ACTIONBW' value='$Lang::tr{'modify'}' />
@@ -683,9 +685,11 @@ END
 ;
 	}
 	if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) {
+		$qossettings{'DEFCLASS_OUT'} = &Header::escape($qossettings{'DEFCLASS_OUT'});
+		$qossettings{'DEFCLASS_INC'} = &Header::escape($qossettings{'DEFCLASS_INC'});
 		print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-		<table width='66%'>
+		<table width='100%'>
 		<tr><td colspan='3'><hr />
 		<tr><td width='50%' align='right'>$Lang::tr{'downlink std class'}: 	<td width='30%' align='left'>$qossettings{'DEFCLASS_INC'}
 		    <td width='20%' rowspan='3' align='center' valign='middle'><input type='submit' name='ACTIONDEF' value='$Lang::tr{'modify'}' />
@@ -695,7 +699,7 @@ END
 		</table>
 		</form>
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-		<table width='66%' border='0'>
+		<table width='100%' border='0'>
 			<tr><td width='100%' align='center'>
 			     <input type='submit' name='ACTION' value='$Lang::tr{'parentclass add'}' />
 			     <input type='submit' name='ACTION' value='$Lang::tr{'status'}' />
@@ -740,7 +744,7 @@ sub changedefclasses {
 	&Header::openbox('100%', 'center', $Lang::tr{'std classes'});
 	print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-		<table width='66%'>
+		<table width='100%'>
 		<tr><td width='100%' colspan='3'>$Lang::tr{'no filter pass'}
 		<tr><td width='33%' align='right'>$Lang::tr{'download'}:<td width='33%' align='left'><select name='DEFCLASS_INC'>
 END
@@ -781,7 +785,7 @@ sub changebandwidth {
 		print <<END;
 			<form method='post' action='$ENV{'SCRIPT_NAME'}'>
 				<input type='hidden' name='DEF_OUT_SPD' value='' /><input type='hidden' name='DEF_INC_SPD' value='' />
-				<table width='66%'>
+				<table width='100%'>
 					<tr>
 						<td width='100%' colspan='2'>$Lang::tr{'down and up speed'}</td>
 					</tr>
@@ -843,7 +847,7 @@ sub parentclass {
 	&Header::openbox('100%', 'center', $Lang::tr{'parentclass'});
 	print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-		<table width='66%'>
+		<table width='100%'>
 END
 ;
 	if ( $message ne "" ) {
@@ -936,7 +940,7 @@ sub level7rule {
 	&Header::openbox('100%', 'center', $Lang::tr{'Level7 Rule'});
 	print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-		<table width='66%'>
+		<table width='100%'>
 END
 ;
 	if ( $message ne "" ) {
@@ -982,7 +986,7 @@ sub portrule {
 	&Header::openbox('100%', 'center', $Lang::tr{'Add Port Rule'});
 	print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-		<table width='66%'>
+		<table width='100%'>
 		<tr><td width='100%' colspan='3'>$Lang::tr{'enter data'}
 		<tr><td width='33%' align='right'>$Lang::tr{'protocol'}:
 		    <td width='33%' align='left'><select name='PPROT'>
@@ -1028,7 +1032,7 @@ sub tosrule {
 	}
 	print <<END
 		<form method='post' action='$ENV{'SCRIPT_NAME'}'>
-		<table width='66%'>
+		<table width='100%'>
 END
 ;
 	if ( $message ne "" ) {