From a8dc9235f12d3922aa201bf4229e36eec21362af Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri, 3 Oct 2025 18:23:26 +0000
Subject: [PATCH] dns.cgi: Fixes bug 13892 XSS potential

commit f34349dd754c6cdb29058b603028a7155ebfa830
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Thu Oct 2 13:10:14 2025 +0200

    dns.cgi: Fix for XSS potential

    - Related to CVE-2025-50976
    - Fixes NAMESERVER & REMARK
    - TLS_HOSTNAME was already fixed in a previous patch

    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit db042629c0cae5b78eeddb8a9db8783c557138b0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Thu Sep 25 17:29:35 2025 +0200

    dns.cgi: Validate the TLS hostname irregardless of TLS being used

    That way, we won't have to perform escaping later on and can rely on
    having a valid value.

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 98616a36c00b7fc845995c5cc4d8e301e58a20a7
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Thu Sep 25 13:12:50 2025 +0200

    dns.cgi: Fixes bug 13892

    Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 html/cgi-bin/dns.cgi | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 0a34d3fd6..cc5349848 100644
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -127,18 +127,20 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L
 		$errormessage = "$Lang::tr{'invalid ip'}: $cgiparams{'NAMESERVER'}";
 	}
 
-	# Check if a TLS is enabled and no TLS_HOSTNAME has benn specified.
-	elsif($settings{'PROTO'} eq "TLS") {
-		unless($cgiparams{"TLS_HOSTNAME"}) {
-			$errormessage = "$Lang::tr{'dns no tls hostname given'}";
-		} else {
-			# Check if the provided domain is valid.
-			unless(&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) {
-				$errormessage = "$Lang::tr{'invalid ip or hostname'}: $cgiparams{'TLS_HOSTNAME'}";
-			}
+	# Check if the provided hostname is valid
+	if ($cgiparams{'TLS_HOSTNAME'} ne "") {
+		unless (&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) {
+			$errormessage = "$Lang::tr{'invalid ip or hostname'}: " . &Header::escape($cgiparams{'TLS_HOSTNAME'});
 		}
 	}
 
+        # Check if a TLS is enabled and no TLS_HOSTNAME has benn specified.
+        if ($settings{'PROTO'} eq "TLS") {
+                unless ($cgiparams{"TLS_HOSTNAME"}) {
+                        $errormessage = "$Lang::tr{'dns no tls hostname given'}";
+                }
+        }
+
 	# Go further if there was no error.
 	if ( ! $errormessage) {
 		# Check if a remark has been entered.
@@ -773,9 +775,9 @@ sub show_add_edit_nameserver() {
 		# Check if an ID has been given.
 		if ($cgiparams{'ID'}) {
 			# Assign cgiparams values.
-			$cgiparams{'NAMESERVER'} = $dns_servers{$cgiparams{'ID'}}[0];
+			$cgiparams{'NAMESERVER'} = &Header::escape($dns_servers{$cgiparams{'ID'}}[0]);
 			$cgiparams{'TLS_HOSTNAME'} = $dns_servers{$cgiparams{'ID'}}[1];
-			$cgiparams{'REMARK'} = $dns_servers{$cgiparams{'ID'}}[3];
+			$cgiparams{'REMARK'} = $Header::escape($dns_servers{$cgiparams{'ID'}}[3]);
 		}
 	} else {
 		&Header::openbox('100%', 'left', $Lang::tr{'dnsforward add a new entry'});