XSS Vulnerability Patches and Security Enhancements for Dashboard1 - Fix parsing error

dashboard/pgs/class.node.php

@@ -44,7 +44,7 @@ class Node {
 
     // Validate callsign format (basic check)
     if (!preg_match('/^[A-Z0-9]{1,10}$/i', $this->Callsign)) {
-        $this->Callsign = 'INVALID';
+       $this->Callsign = 'INVALID';
     }
 
     // Validate LinkedModule (single letter A-Z)

dashboard/pgs/class.parsexml.php

@@ -15,8 +15,8 @@ class ParseXML {
 
     $Element = substr($InputString, strpos($InputString, "<".$ElementName.">")+strlen($ElementName)+2, strpos($InputString, "</".$ElementName.">")-strpos($InputString, "<".$ElementName.">")-strlen($ElementName)-2);
     
-    // Strip any remaining HTML/XML tags from the content
-    return strip_tags($Element);
+    // Return raw content - sanitization happens at output time
+    return $Element;
    }
 
    public function GetAllElements($InputString, $ElementName) {

dashboard/pgs/config.inc.php

@@ -77,14 +77,8 @@ $VNStat['Binary']                                    = '/usr/bin/vnstat';
 include an extra config file for people who dont like to mess with shipped config.ing.php   
 this makes updating dashboard from git a little bit easier   
 */   
- 
-$external_config = dirname(__FILE__) . '/../config.inc.php';
-if (file_exists($external_config)) {
-    $realPath = realpath($external_config);
-    // Only allow if it's in parent directory
-    if ($realPath !== false && dirname($realPath) === dirname(dirname(__FILE__))) {
-        include($realPath);
-    }
+if (file_exists("../config.inc.php")) {   
+    include ("../config.inc.php");  
 }
 
 ?>