From e11754a4e035eb254c0bda1d5aa99f76d696612e Mon Sep 17 00:00:00 2001
From: Andy Taylor <andy@mw0mwz.co.uk>
Date: Tue, 14 Oct 2025 14:35:59 +0100
Subject: [PATCH] XSS Vulnerability Patches and Security Enhancements for
 Dashboard1 - Fix parsing error

---
 dashboard/pgs/class.node.php     |  2 +-
 dashboard/pgs/class.parsexml.php |  4 ++--
 dashboard/pgs/config.inc.php     | 12 +++---------
 3 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/dashboard/pgs/class.node.php b/dashboard/pgs/class.node.php
index 6a0bf25..f6e0eda 100755
--- a/dashboard/pgs/class.node.php
+++ b/dashboard/pgs/class.node.php
@@ -44,7 +44,7 @@ class Node {
 
     // Validate callsign format (basic check)
     if (!preg_match('/^[A-Z0-9]{1,10}$/i', $this->Callsign)) {
-        $this->Callsign = 'INVALID';
+       $this->Callsign = 'INVALID';
     }
 
     // Validate LinkedModule (single letter A-Z)
diff --git a/dashboard/pgs/class.parsexml.php b/dashboard/pgs/class.parsexml.php
index dbd8451..7ac7ae6 100755
--- a/dashboard/pgs/class.parsexml.php
+++ b/dashboard/pgs/class.parsexml.php
@@ -15,8 +15,8 @@ class ParseXML {
 
     $Element = substr($InputString, strpos($InputString, "<".$ElementName.">")+strlen($ElementName)+2, strpos($InputString, "</".$ElementName.">")-strpos($InputString, "<".$ElementName.">")-strlen($ElementName)-2);
     
-    // Strip any remaining HTML/XML tags from the content
-    return strip_tags($Element);
+    // Return raw content - sanitization happens at output time
+    return $Element;
    }
 
    public function GetAllElements($InputString, $ElementName) {
diff --git a/dashboard/pgs/config.inc.php b/dashboard/pgs/config.inc.php
index baf8815..5fc0560 100755
--- a/dashboard/pgs/config.inc.php
+++ b/dashboard/pgs/config.inc.php
@@ -77,14 +77,8 @@ $VNStat['Binary']                                    = '/usr/bin/vnstat';
 include an extra config file for people who dont like to mess with shipped config.ing.php   
 this makes updating dashboard from git a little bit easier   
 */   
- 
-$external_config = dirname(__FILE__) . '/../config.inc.php';
-if (file_exists($external_config)) {
-    $realPath = realpath($external_config);
-    // Only allow if it's in parent directory
-    if ($realPath !== false && dirname($realPath) === dirname(dirname(__FILE__))) {
-        include($realPath);
-    }
-}  
+if (file_exists("../config.inc.php")) {   
+    include ("../config.inc.php");  
+}
 
 ?>