+Fri, 06 Jan 2006 08:07:46 +0100
+----------------
+
+* viewing graphs causing zombie mysql processes?
+
+ If this happens, take a look at the solutions given in
+ http://bugs.debian.org/344519.
+
+* ERROR: Garbage ':33:09 To 2005/10/27 08:33:09\c' after command:
+
+ If you get this, it's probably because you just upgraded rrdtool,
+ which changed its output format between versions and cacti is still
+ trying to parse it using the old versions' output. If you go into
+ your cacti settings, you will see an option to change the version
+ of rrdtool you have installed, which should solve your problem.
+
+* installation
+
+ note that cacti now uses automatic configuration via dbconfig-common.
+ however, if you've chosen to go the manual route, the following
+ information may be helpful.
+
+ using the username and password you provided in debconf (and stored
+ in the cacti config file /etc/cacti/debian.php), create a database
+ and load up the cacti skeleton. assuming you chose a database and
+ user both named 'cacti':
+
+ mysql -u root -p -e "create database cacti"
+ mysql -u root -p -e "grant all privileges on cacti.* to cacti@localhost identified by 'yourpasswordhere'; flush privileges"
+ zcat /usr/share/doc/cacti/cacti.sql.gz | mysql -u cacti -p cacti
+
+ next, go to http://$yourhost/cacti/, and follow the on-screen directions.
+ the default login is admin/admin. once automagical configuration is
+ brought back into cacti, this will probably change to something better.
+
+* Upgrading from recent versions of cacti (>= 0.8.x)
+
+ There is a special directory install/ available, which contains some
+ basic php scripts to upgrade your current database to the new version
+ of cacti.
+
+ Normally, this should happen automatically. If not, simply point your
+ browser to your cacti installation:
+
+ http://$yourhost/cacti/install
+
+ At some point the automatic upgrade feature will return, but not now.
+
+* Upgrading from old cacti versions (<= 0.6.x)
+
+ The database structure has changed between version 0.6.x and 0.8.x. To make
+ cacti working again, you must create a new database, and import the cacti
+ database configuration. You can do this with the following commands. Please
+ replace "cacti" with your database name. Maybe you must also specify an
+ host name (-h host).
+
+ # backup the old database
+ $ mysqldump -u root -p cacti | gzip -9 - >/tmp/cacti-old.gz
+
+ # delete and create the database again
+ $ mysqladmin -u root -p drop cacti
+ $ mysqladmin -u root -p create cacti
+
+ # import the database structure
+ $ zcat /usr/share/doc/cacti/cacti.sql.gz | mysql -u root -p cacti
+
+ optionally, if you have lots and lots of data and it's critically important
+ to keep it, you can try the following, which i've had work on smaller test
+ installations:
+
+ - downgrade to the previous 0.6.x version of cacti in woody.
+ - download version 0.6.8a from the old cacti repository:
+ http://www.cacti.net/downloads/archive/
+ - extract the tarball in /usr/local/cacti, configure config.php.
+ - change your Alias to point /cacti/ at this directory
+ - go to http://$yourhost/cacti/install/ and do the 0.6.7->0.6.8a upgrade
+ - turn off cron (or at least the cronjob for cacti)
+ - back up your current database, load a copy into a database
+ called cacti-old. truncate the old database.
+ - repeat the described upgrade process to go from 0.6.8a to 0.8.
+ you'll be asked for an "old database" and a "new database". this
+ is where things will either work or not work.
+ - remove these two cacti directories in /usr/local
+ - install the latest version of cacti from sarge/sid
+ - point your apache config back where it should
+ - go to http://$yourhost/cacti/install/ and cacti should take you
+ the rest of the way to the current version.
+ - turn the cronjob back on
+
+ note that i haven't tried this on a large scale, it takes quite a bit
+ of effort, and i can't guarantee it will work. sorry :/
+
+ i would like at some point to offer some automated (or at least cmdline)
+ programs to help automate this, but my first priority is to get the next
+ upstream release out the door. i've already done some work on this, if
+ you're interested in helping out, send me an email.
+
+* PHP command line scripts:
+
+ If you install the php4-{cli,cgi} package _after_ the php4-mysql package,
+ there will be no entry for the mysql extension in this file.
+ To fix this, you can run the following command and select the cgi
+ interface also:
+ # dpkg-reconfigure php4-mysql
+
+ You need to enable mysql support for apache, cli and/or cgi. Depending
+ on your configuration.
+
+* Apache2 support
+
+ If you would like to use cacti with apache2 you need to install the php4
+ package for apache2: libapache2-mod-php4. After this you need to enable
+ the mysql and snmp extension for php4.
+
+ # cd /etc/php4/apache2/
+ # grep -q mysql.so php.ini || echo "extension=mysql.so">>php.ini
+ # grep -q snmp.so php.ini || echo "extension=snmp.so">>php.ini
+
+ (Please note the two ">>" signs)
+
+* PHP short tags problem in /etc/cacti/debian.php
+
+ Previous versions of cacti create the debian.php file with short php
+ tags ''. This can make problems on systems which only allows the login
+ php tags. (This should be the default IMHO). This version should fix
+ the debian.php automatically during install. The relevant PHP option
+ is: short_open_tag
+
+ If the automatic update doesn't work or you have moved/replaced the
+ file please make sure you are using only long php4 tags in this file.
+
+ Long tags are: (derived from upstream svn diffs)
+# Origin: http://svn.cacti.net/viewvc?view=rev&revision=6025
+# http://svn.cacti.net/viewvc?view=rev&revision=6037
+# http://svn.cacti.net/viewvc?view=rev&revision=6038
+# http://svn.cacti.net/viewvc?view=rev&revision=6041
+# http://svn.cacti.net/viewvc?view=rev&revision=6042
+
+diff -Nur cacti-0.8.7e.base/auth_login.php cacti-0.8.7e.patched/auth_login.php
+--- cacti-0.8.7e.base/auth_login.php 2009-06-28 12:07:11.000000000 -0400
++++ cacti-0.8.7e.patched/auth_login.php 2011-02-01 13:52:03.613384163 -0500
+@@ -294,7 +294,7 @@
+
+
+ User Name:
+-
++
+
+
+ Password:
+diff -Nur cacti-0.8.7e.base/cdef.php cacti-0.8.7e.patched/cdef.php
+--- cacti-0.8.7e.base/cdef.php 2011-01-24 15:18:35.557370689 -0500
++++ cacti-0.8.7e.patched/cdef.php 2011-02-01 13:52:03.613384163 -0500
+@@ -299,7 +299,7 @@
+ draw_cdef_preview($_GET["cdef_id"]);
+ html_end_box();
+
+- html_start_box("CDEF Items [edit: " . db_fetch_cell("select name from cdef where id=" . $_GET["cdef_id"]) . "]", "100%", $colors["header"], "3", "center", "");
++ html_start_box("CDEF Items [edit: " . htmlspecialchars(db_fetch_cell("select name from cdef where id=" . $_GET["cdef_id"])) . "]", "100%", $colors["header"], "3", "center", "");
+
+ if (isset($_GET["type_select"])) {
+ $current_type = $_GET["type_select"];
+@@ -376,7 +376,7 @@
+
+ if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
+ include("./include/top_header.php");
+- form_confirm("Are You Sure?", "Are you sure you want to delete the CDEF '" . db_fetch_cell("select name from cdef where id=" . $_GET["id"]) . "' ?", "cdef.php", "cdef.php?action=remove&id=" . $_GET["id"]);
++ form_confirm("Are You Sure?", "Are you sure you want to delete the CDEF '" . htmlspecialchars(db_fetch_cell("select name from cdef where id=" . $_GET["id"])) . "' ?", htmlspecialchars("cdef.php"), htmlspecialchars("cdef.php?action=remove&id=" . $_GET["id"]));
+ include("./include/bottom_footer.php");
+ exit;
+ }
+@@ -396,7 +396,7 @@
+
+ if (!empty($_GET["id"])) {
+ $cdef = db_fetch_row("select * from cdef where id=" . $_GET["id"]);
+- $header_label = "[edit: " . $cdef["name"] . "]";
++ $header_label = "[edit: " . htmlspecialchars($cdef["name"]) . "]";
+ }else{
+ $header_label = "[new]";
+ }
+@@ -427,25 +427,25 @@
+
+ $i = 0;
+ if (sizeof($cdef_items) > 0) {
+- foreach ($cdef_items as $cdef_item) {
+- form_alternate_row_color($colors["alternate"],$colors["light"],$i); $i++;
+- ?>
+-
+- &cdef_id=">Item #
+-
+-
+- :
+-
+-
+- &cdef_id=">
+- &cdef_id=">
+-
+-
+- &cdef_id=">
+-
+-
+-
++
++ ">Item #
++
++
++ :
++
++
++ ">
++ ">
++
++
++ ">
++
++
++
+
+- ">
++ ">
+
+
+
+@@ -568,7 +568,7 @@
+ if (sizeof($cdef_list) > 0) {
+ foreach ($cdef_list as $cdef) {
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $cdef["id"]);$i++;
+- form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $cdef["name"]) : $cdef["name"]) . " ", $cdef["id"]);
++ form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($cdef["name"])) : htmlspecialchars($cdef["name"])) . " ", $cdef["id"]);
+ form_checkbox_cell($cdef["name"], $cdef["id"]);
+ form_end_row();
+ }
+diff -Nur cacti-0.8.7e.base/data_input.php cacti-0.8.7e.patched/data_input.php
+--- cacti-0.8.7e.base/data_input.php 2011-01-24 15:18:35.585370856 -0500
++++ cacti-0.8.7e.patched/data_input.php 2011-02-01 13:52:03.617383081 -0500
+@@ -314,7 +314,7 @@
+ return;
+ }
+
+- html_start_box("$header_name Fields [edit: " . $data_input["name"] . "]", "100%", $colors["header"], "3", "center", "");
++ html_start_box("$header_name Fields [edit: " . htmlspecialchars($data_input["name"]) . "]", "100%", $colors["header"], "3", "center", "");
+
+ $form_array = array();
+
+@@ -376,7 +376,7 @@
+
+ if (!empty($_GET["id"])) {
+ $data_input = db_fetch_row("select * from data_input where id=" . $_GET["id"]);
+- $header_label = "[edit: " . $data_input["name"] . "]";
++ $header_label = "[edit: " . htmlspecialchars($data_input["name"]) . "]";
+ }else{
+ $header_label = "[new]";
+ }
+@@ -406,13 +406,13 @@
+ form_alternate_row_color($colors["alternate"],$colors["light"],$i); $i++;
+ ?>
+
+- &data_input_id=">
++ ">
+
+
+
+
+
+-
++
+
+
+ &data_input_id=">
+@@ -520,7 +520,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+@@ -591,7 +591,7 @@
+ foreach ($data_inputs as $data_input) {
+ /* hide system types */
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $data_input["id"]); $i++;
+- form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $data_input["name"]) : $data_input["name"]) . " ", $data_input["id"]);
++ form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($data_input["name"])) : htmlspecialchars($data_input["name"])) . " ", $data_input["id"]);
+ form_selectable_cell($input_types{$data_input["type_id"]}, $data_input["id"]);
+ form_checkbox_cell($data_input["name"], $data_input["id"]);
+ form_end_row();
+diff -Nur cacti-0.8.7e.base/data_queries.php cacti-0.8.7e.patched/data_queries.php
+--- cacti-0.8.7e.base/data_queries.php 2011-01-24 15:18:35.445370665 -0500
++++ cacti-0.8.7e.patched/data_queries.php 2011-02-01 13:52:03.617383081 -0500
+@@ -231,7 +231,7 @@
+ input_validate_input_number($matches[1]);
+ /* ==================================================== */
+
+- $dq_list .= "" . db_fetch_cell("SELECT snmp_query.name FROM snmp_query WHERE id='" . $matches[1] . "'") . " ";
++ $dq_list .= " " . htmlspecialchars(db_fetch_cell("SELECT snmp_query.name FROM snmp_query WHERE id='" . $matches[1] . "'")) . " ";
+ $dq_array[$i] = $matches[1];
+ }
+
+@@ -371,7 +371,7 @@
+ }
+
+ $snmp_query = db_fetch_row("select name,xml_path from snmp_query where id=" . $_GET["snmp_query_id"]);
+- $header_label = "[edit: " . $snmp_query["name"] . "]";
++ $header_label = "[edit: " . htmlspecialchars($snmp_query["name"]) . "]";
+
+ html_start_box("Associated Graph/Data Templates $header_label", "100%", $colors["header"], "3", "center", "");
+
+@@ -399,66 +399,66 @@
+
+ $i = 0;
+ if (sizeof($data_templates) > 0) {
+- foreach ($data_templates as $data_template) {
+- print "
+- Data Template - " . $data_template["name"] . "
+- ";
++ foreach ($data_templates as $data_template) {
++ print "
++ Data Template - " . $data_template["name"] . "
++ ";
++
++ $data_template_rrds = db_fetch_assoc("select
++ data_template_rrd.id,
++ data_template_rrd.data_source_name,
++ snmp_query_graph_rrd.snmp_field_name,
++ snmp_query_graph_rrd.snmp_query_graph_id
++ from data_template_rrd
++ left join snmp_query_graph_rrd on (snmp_query_graph_rrd.data_template_rrd_id=data_template_rrd.id and snmp_query_graph_rrd.snmp_query_graph_id=" . $_GET["id"] . " and snmp_query_graph_rrd.data_template_id=" . $data_template["id"] . ")
++ where data_template_rrd.data_template_id=" . $data_template["id"] . "
++ and data_template_rrd.local_data_id=0
++ order by data_template_rrd.data_source_name");
++
++ $i = 0;
++ if (sizeof($data_template_rrds) > 0) {
++ foreach ($data_template_rrds as $data_template_rrd) {
++ if (empty($data_template_rrd["snmp_query_graph_id"])) {
++ $old_value = "";
++ }else{
++ $old_value = "on";
++ }
+
+- $data_template_rrds = db_fetch_assoc("select
+- data_template_rrd.id,
+- data_template_rrd.data_source_name,
+- snmp_query_graph_rrd.snmp_field_name,
+- snmp_query_graph_rrd.snmp_query_graph_id
+- from data_template_rrd
+- left join snmp_query_graph_rrd on (snmp_query_graph_rrd.data_template_rrd_id=data_template_rrd.id and snmp_query_graph_rrd.snmp_query_graph_id=" . $_GET["id"] . " and snmp_query_graph_rrd.data_template_id=" . $data_template["id"] . ")
+- where data_template_rrd.data_template_id=" . $data_template["id"] . "
+- and data_template_rrd.local_data_id=0
+- order by data_template_rrd.data_source_name");
+-
+- $i = 0;
+- if (sizeof($data_template_rrds) > 0) {
+- foreach ($data_template_rrds as $data_template_rrd) {
+- if (empty($data_template_rrd["snmp_query_graph_id"])) {
+- $old_value = "";
+- }else{
+- $old_value = "on";
++ form_alternate_row_color($colors["form_alternate1"],$colors["form_alternate2"],$i); $i++;
++ ?>
++
++
++
++
++ Data Source:
++
++
++
++
++
++
++
++
++ ";?>
++
++
++
++
++
++
+-
+-
+-
+-
+- Data Source:
+-
+-
+-
+-
+-
+-
+-
+-
+- ";?>
+-
+-
+-
+-
+-
+-
+- Data Template - " . $data_template["name"] . "
++ Data Template - " . htmlspecialchars($data_template["name"]) . "
+ ";
+
+ $i = 0;
+@@ -491,10 +491,10 @@
+ form_alternate_row_color($colors["form_alternate1"],$colors["form_alternate2"],$i); $i++;
+ ?>
+
+-
++
+
+
+-
++
+
+
+ &id=&snmp_query_id=&data_template_id=&field_name=">
+@@ -542,7 +542,7 @@
+ order by field_name,sequence");
+
+ print "
+- Graph Template - " . db_fetch_cell("select name from graph_templates where id=" . $snmp_query_item["graph_template_id"]) . "
++ Graph Template - " . htmlspecialchars(db_fetch_cell("select name from graph_templates where id=" . $snmp_query_item["graph_template_id"])) . "
+ ";
+
+ $i = 0;
+@@ -553,10 +553,10 @@
+ form_alternate_row_color($colors["form_alternate1"],$colors["form_alternate2"],$i); $i++;
+ ?>
+
+-
++
+
+
+-
++
+
+
+ &id=&snmp_query_id=&field_name=">
+@@ -627,7 +627,7 @@
+
+ if (!empty($_GET["id"])) {
+ $snmp_query = db_fetch_row("select * from snmp_query where id=" . $_GET["id"]);
+- $header_label = "[edit: " . $snmp_query["name"] . "]";
++ $header_label = "[edit: " . htmlspecialchars($snmp_query["name"]) . "]";
+ }else{
+ $header_label = "[new]";
+ }
+@@ -680,10 +680,10 @@
+ form_alternate_row_color($colors["form_alternate1"],$colors["form_alternate2"],$i); $i++;
+ ?>
+
+- &snmp_query_id=">
++ ">
+
+
+-
++
+
+
+ &snmp_query_id=">
+@@ -751,7 +751,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+@@ -823,7 +823,7 @@
+ if (sizeof($snmp_queries) > 0) {
+ foreach ($snmp_queries as $snmp_query) {
+ form_alternate_row_color($colors["alternate"],$colors["light"],$i, 'line' . $snmp_query["id"]); $i++;
+- form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $snmp_query["name"]) : $snmp_query["name"]) . " ", $snmp_query["id"]);
++ form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($snmp_query["name"])) : htmlspecialchars($snmp_query["name"])) . " ", $snmp_query["id"]);
+ form_selectable_cell((strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $snmp_query["data_input_method"]) : $snmp_query["data_input_method"]), $snmp_query["id"]);
+ form_checkbox_cell($snmp_query["name"], $snmp_query["id"]);
+ form_end_row();
+diff -Nur cacti-0.8.7e.base/data_sources.php cacti-0.8.7e.patched/data_sources.php
+--- cacti-0.8.7e.base/data_sources.php 2011-02-01 13:59:36.064888029 -0500
++++ cacti-0.8.7e.patched/data_sources.php 2011-02-01 13:52:03.621381865 -0500
+@@ -576,7 +576,7 @@
+
+ $host = db_fetch_row("select host.id,host.hostname from (data_local,host) where data_local.host_id=host.id and data_local.id=" . $_GET["id"]);
+
+- $header_label = "[edit: " . $data["name"] . "]";
++ $header_label = "[edit: " . htmlspecialchars($data["name"]) . "]";
+ }else{
+ $header_label = "[new]";
+ }
+@@ -588,7 +588,7 @@
+ /* get each INPUT field for this data input source */
+ $fields = db_fetch_assoc("select * from data_input_fields where data_input_id=" . $data["data_input_id"] . " and input_output='in' order by sequence");
+
+- html_start_box("Custom Data [data input: " . db_fetch_cell("select name from data_input where id=" . $data["data_input_id"]) . "]", "100%", $colors["header"], "3", "center", "");
++ html_start_box("Custom Data [data input: " . htmlspecialchars(db_fetch_cell("select name from data_input where id=" . $data["data_input_id"])) . "]", "100%", $colors["header"], "3", "center", "");
+
+ /* loop through each field found */
+ if (sizeof($fields) > 0) {
+@@ -691,7 +691,7 @@
+ exit;
+ }
+
+- $header_label = "[edit: " . get_data_source_title($_GET["id"]) . "]";
++ $header_label = "[edit: " . htmlspecialchars(get_data_source_title($_GET["id"])) . "]";
+
+ if (empty($data_local["data_template_id"])) {
+ $use_data_template = false;
+@@ -718,7 +718,7 @@
+
+
+
+-
++
+
+
+ *Turn Data Source Debug Mode.
+@@ -870,7 +870,7 @@
+ foreach ($template_data_rrds as $template_data_rrd) {
+ $i++;
+ print "
+-
++
+ \n
+ \n";
+ }
+@@ -1064,7 +1064,7 @@
+
+ Data Sources [host: " . (empty($host["hostname"]) ? "No Host" : $host["hostname"]) . "]", "100%", $colors["header"], "3", "center", "data_sources.php?action=ds_edit&host_id=" . get_request_var_request("host_id"));
++ html_start_box("Data Sources [host: " . (empty($host["hostname"]) ? "No Host" : htmlspecialchars($host["hostname"])) . "]", "100%", $colors["header"], "3", "center", "data_sources.php?action=ds_edit&host_id=" . get_request_var_request("host_id"));
+
+ ?>
+ ">
+@@ -1083,9 +1083,9 @@
+ $hosts = db_fetch_assoc("select id,CONCAT_WS('',description,' (',hostname,')') as name from host order by description,hostname");
+
+ if (sizeof($hosts) > 0) {
+- foreach ($hosts as $host) {
+- print "" . title_trim($host["name"], 40) . " \n";
+- }
++ foreach ($hosts as $host) {
++ print "" . title_trim(htmlspecialchars($host["name"]), 40) . " \n";
++ }
+ }
+ ?>
+
+@@ -1108,9 +1108,9 @@
+ ORDER BY data_template.name");
+
+ if (sizeof($templates) > 0) {
+- foreach ($templates as $template) {
+- print "" . title_trim($template["name"], 40) . " \n";
+- }
++ foreach ($templates as $template) {
++ print "" . title_trim(htmlspecialchars($template["name"]), 40) . " \n";
++ }
+ }
+ ?>
+
+@@ -1139,9 +1139,9 @@
+ ORDER BY data_input.name");
+
+ if (sizeof($methods) > 0) {
+- foreach ($methods as $method) {
+- print "" . title_trim($method["name"], 40) . " \n";
+- }
++ foreach ($methods as $method) {
++ print "" . title_trim(htmlspecialchars($method["name"]), 40) . " \n";
++ }
+ }
+ ?>
+
+@@ -1154,9 +1154,9 @@
+ selected>Default
+ 0) {
+- foreach ($item_rows as $key => $value) {
+- print "" . $value . " \n";
+- }
++ foreach ($item_rows as $key => $value) {
++ print "" . htmlspecialchars($value) . " \n";
++ }
+ }
+ ?>
+
+@@ -1169,7 +1169,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+@@ -1304,12 +1304,12 @@
+ $data_input_name = ((empty($data_source["data_input_name"])) ? "External " : $data_source["data_input_name"]);
+ $poller_interval = ((isset($poller_intervals[$data_source["local_data_id"]])) ? $poller_intervals[$data_source["local_data_id"]] : 0);
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $data_source["local_data_id"]); $i++;
+- form_selectable_cell("" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", title_trim(htmlentities($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlentities($data_source["name_cache"]), read_config_option("max_title_data_source"))) . " ", $data_source["local_data_id"]);
++ form_selectable_cell("" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) : title_trim(htmlspecialchars($data_source["name_cache"]), read_config_option("max_title_data_source"))) . " ", $data_source["local_data_id"]);
+ form_selectable_cell($data_source['local_data_id'], $data_source['local_data_id']);
+- form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $data_input_name) : $data_input_name) . "", $data_source["local_data_id"]);
++ form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($data_input_name)) : htmlspecialchars($data_input_name)), $data_source["local_data_id"]);
+ form_selectable_cell(get_poller_interval($poller_interval), $data_source["local_data_id"]);
+ form_selectable_cell(($data_source['active'] == "on" ? "Yes" : "No"), $data_source["local_data_id"]);
+- form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $data_source['data_template_name']) : $data_source['data_template_name']) . "", $data_source["local_data_id"]);
++ form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($data_source['data_template_name'])) : htmlspecialchars($data_source['data_template_name'])), $data_source["local_data_id"]);
+ form_checkbox_cell($data_source["name_cache"], $data_source["local_data_id"]);
+ form_end_row();
+ }
+diff -Nur cacti-0.8.7e.base/data_templates.php cacti-0.8.7e.patched/data_templates.php
+--- cacti-0.8.7e.base/data_templates.php 2011-01-24 15:18:35.117381542 -0500
++++ cacti-0.8.7e.patched/data_templates.php 2011-02-01 13:52:03.621381865 -0500
+@@ -427,7 +427,7 @@
+ $header_label = "[new]";
+ }
+
+- html_start_box("Data Templates $header_label", "100%", $colors["header"], "3", "center", "");
++ html_start_box("Data Templates " . htmlspecialchars($header_label), "100%", $colors["header"], "3", "center", "");
+
+ draw_edit_form(array(
+ "config" => array(),
+@@ -516,7 +516,7 @@
+
+ print "
+
+
+
+- ">
++ ">
+
+
+
+diff -Nur cacti-0.8.7e.base/gprint_presets.php cacti-0.8.7e.patched/gprint_presets.php
+--- cacti-0.8.7e.base/gprint_presets.php 2011-01-24 15:18:35.389369115 -0500
++++ cacti-0.8.7e.patched/gprint_presets.php 2011-02-01 13:52:03.544881043 -0500
+@@ -95,7 +95,7 @@
+
+ if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
+ include_once("./include/top_header.php");
+- form_confirm("Are You Sure?", "Are you sure you want to delete the GPRINT preset '" . db_fetch_cell("select name from graph_templates_gprint where id=" . $_GET["id"]) . "' ? This could affect every graph that uses this preset, make sure you know what you are doing first!", "gprint_presets.php", "gprint_presets.php?action=remove&id=" . $_GET["id"]);
++ form_confirm("Are You Sure?", "Are you sure you want to delete the GPRINT preset '" . htmlspecialchars(db_fetch_cell("select name from graph_templates_gprint where id=" . $_GET["id"])) . "' ? This could affect every graph that uses this preset, make sure you know what you are doing first!", htmlspecialchars("gprint_presets.php"), htmlspecialchars("gprint_presets.php?action=remove&id=" . $_GET["id"]));
+ exit;
+ }
+
+@@ -113,7 +113,7 @@
+
+ if (!empty($_GET["id"])) {
+ $gprint_preset = db_fetch_row("select * from graph_templates_gprint where id=" . $_GET["id"]);
+- $header_label = "[edit: " . $gprint_preset["name"] . "]";
++ $header_label = "[edit: " . htmlspecialchars($gprint_preset["name"]) . "]";
+ }else{
+ $header_label = "[new]";
+ }
+@@ -150,7 +150,7 @@
+ form_alternate_row_color($colors["alternate"],$colors["light"],$i);
+ ?>
+
+- ">
++ ">
+
+
+ ">
+diff -Nur cacti-0.8.7e.base/graph.php cacti-0.8.7e.patched/graph.php
+--- cacti-0.8.7e.base/graph.php 2011-02-01 13:59:36.136869779 -0500
++++ cacti-0.8.7e.patched/graph.php 2011-02-01 13:52:03.625388497 -0500
+@@ -80,39 +80,39 @@
+ ?>
+
+
+
+ 0) {
+- foreach ($rras as $rra) {
+- ?>
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
+-
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
++
+
+
+
+
+@@ -209,7 +209,7 @@
+
+
+
+-
++
+
+
+
+@@ -218,7 +218,7 @@
+
+
+
+-
++
+
+
+
+@@ -233,7 +233,7 @@
+ ?>
+
+
+
+
+@@ -241,7 +241,7 @@
+
+
+
+-
++
+
+
+
+@@ -250,7 +250,7 @@
+
+
+
+-
++
+
+
+
+diff -Nur cacti-0.8.7e.base/graphs_new.php cacti-0.8.7e.patched/graphs_new.php
+--- cacti-0.8.7e.base/graphs_new.php 2011-02-01 13:59:35.996870890 -0500
++++ cacti-0.8.7e.patched/graphs_new.php 2011-02-01 13:52:03.625388497 -0500
+@@ -426,12 +426,12 @@
+
+
+
+- ()
++ ()
+
+
+
+
+@@ -448,9 +448,9 @@
+ $hosts = db_fetch_assoc("select id,CONCAT_WS('',description,' (',hostname,')') as name from host order by description,hostname");
+
+ if (sizeof($hosts) > 0) {
+- foreach ($hosts as $item) {
+- print "" . $item["name"] . " \n";
+- }
++ foreach ($hosts as $item) {
++ print "" . htmlspecialchars($item["name"]) . " \n";
++ }
+ }
+ ?>
+
+@@ -494,7 +494,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+@@ -570,7 +570,7 @@
+ print " "; $i++;
+
+ print "
+- Create: " . $graph_template["graph_template_name"] . "
++ Create: " . htmlspecialchars($graph_template["graph_template_name"]) . "
+
+
+
+diff -Nur cacti-0.8.7e.base/graphs.php cacti-0.8.7e.patched/graphs.php
+--- cacti-0.8.7e.base/graphs.php 2011-01-24 15:18:35.469381736 -0500
++++ cacti-0.8.7e.patched/graphs.php 2011-02-01 13:52:03.625388497 -0500
+@@ -563,7 +563,7 @@
+ order by graph_templates_item.sequence");
+
+ $host_id = db_fetch_cell("select host_id from graph_local where id=" . $_GET["id"]);
+- $header_label = "[edit: " . get_graph_title($_GET["id"]) . "]";
++ $header_label = "[edit: " . htmlspecialchars(get_graph_title($_GET["id"])) . "]";
+ }
+
+ $graph_template_id = db_fetch_cell("select graph_template_id from graph_local where id=" . $_GET["id"]);
+@@ -826,7 +826,7 @@
+ $graphs_template = db_fetch_row("select * from graph_templates_graph where id=$local_graph_template_graph_id");
+
+ $host_id = db_fetch_cell("select host_id from graph_local where id=" . $_GET["id"]);
+- $header_label = "[edit: " . get_graph_title($_GET["id"]) . "]";
++ $header_label = "[edit: " . htmlspecialchars(get_graph_title($_GET["id"])) . "]";
+
+ if ($graphs["graph_template_id"] == "0") {
+ $use_graph_template = false;
+@@ -850,7 +850,7 @@
+
+
+
+-
++
+
+
+ *Turn Graph Debug Mode.
+@@ -1146,9 +1146,9 @@
+ }
+
+ if (sizeof($hosts) > 0) {
+- foreach ($hosts as $host) {
+- print "" . title_trim($host["name"], 40) . " \n";
+- }
++ foreach ($hosts as $host) {
++ print "" . title_trim(htmlspecialchars($host["name"]), 40) . " \n";
++ }
+ }
+ ?>
+
+@@ -1178,9 +1178,9 @@
+ }
+
+ if (sizeof($templates) > 0) {
+- foreach ($templates as $template) {
+- print "" . title_trim($template["name"], 40) . " \n";
+- }
++ foreach ($templates as $template) {
++ print "" . title_trim(htmlspecialchars($template["name"]), 40) . " \n";
++ }
+ }
+ ?>
+
+@@ -1197,7 +1197,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+ Rows per Page:
+@@ -1207,9 +1207,9 @@
+ selected>Default
+ 0) {
+- foreach ($item_rows as $key => $value) {
+- print "" . $value . " \n";
+- }
++ foreach ($item_rows as $key => $value) {
++ print "" . htmlspecialchars($value) . " \n";
++ }
+ }
+ ?>
+
+@@ -1308,9 +1308,9 @@
+ foreach ($graph_list as $graph) {
+ $template_name = ((empty($graph["name"])) ? "None " : $graph["name"]);
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $graph["local_graph_id"]); $i++;
+- form_selectable_cell("" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", title_trim($graph["title_cache"], read_config_option("max_title_graph"))) : title_trim($graph["title_cache"], read_config_option("max_title_graph"))) . " ", $graph["local_graph_id"]);
++ form_selectable_cell("" . ((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) : title_trim(htmlspecialchars($graph["title_cache"]), read_config_option("max_title_graph"))) . " ", $graph["local_graph_id"]);
+ form_selectable_cell($graph["local_graph_id"], $graph["local_graph_id"]);
+- form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $template_name) : $template_name) . "", $graph["local_graph_id"]);
++ form_selectable_cell(((get_request_var_request("filter") != "") ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($template_name)) : htmlspecialchars($template_name)), $graph["local_graph_id"]);
+ form_selectable_cell($graph["height"] . "x" . $graph["width"], $graph["local_graph_id"]);
+ form_checkbox_cell($graph["title_cache"], $graph["local_graph_id"]);
+ form_end_row();
+diff -Nur cacti-0.8.7e.base/graph_templates_inputs.php cacti-0.8.7e.patched/graph_templates_inputs.php
+--- cacti-0.8.7e.base/graph_templates_inputs.php 2011-01-24 15:18:35.721380661 -0500
++++ cacti-0.8.7e.patched/graph_templates_inputs.php 2011-02-01 13:52:03.552882100 -0500
+@@ -161,7 +161,7 @@
+ $graph_template_input = db_fetch_row("select * from graph_template_input where id=" . $_GET["id"]);
+ }
+
+- html_start_box("Graph Item Inputs $header_label", "100%", $colors["header"], "3", "center", "");
++ html_start_box("Graph Item Inputs " . htmlspecialchars($header_label), "100%", $colors["header"], "3", "center", "");
+
+ draw_edit_form(array(
+ "config" => array(),
+diff -Nur cacti-0.8.7e.base/graph_templates_items.php cacti-0.8.7e.patched/graph_templates_items.php
+--- cacti-0.8.7e.base/graph_templates_items.php 2011-01-24 15:18:35.309370877 -0500
++++ cacti-0.8.7e.patched/graph_templates_items.php 2011-02-01 13:52:03.552882100 -0500
+@@ -299,7 +299,7 @@
+
+ $header_label = "[edit graph: " . db_fetch_cell("select name from graph_templates where id=" . $_GET["graph_template_id"]) . "]";
+
+- html_start_box("Graph Template Items $header_label", "100%", $colors["header"], "3", "center", "");
++ html_start_box("Graph Template Items " . htmlspecialchars($header_label), "100%", $colors["header"], "3", "center", "");
+
+ if (!empty($_GET["id"])) {
+ $template_item = db_fetch_row("select * from graph_templates_item where id=" . $_GET["id"]);
+diff -Nur cacti-0.8.7e.base/graph_templates.php cacti-0.8.7e.patched/graph_templates.php
+--- cacti-0.8.7e.base/graph_templates.php 2011-01-24 15:18:35.609371048 -0500
++++ cacti-0.8.7e.patched/graph_templates.php 2011-02-01 13:52:03.629382900 -0500
+@@ -308,7 +308,7 @@
+ $header_label = "[edit: " . db_fetch_cell("select name from graph_templates where id=" . $_GET["id"]) . "]";
+ }
+
+- html_start_box("Graph Template Items $header_label", "100%", $colors["header"], "3", "center", "graph_templates_items.php?action=item_edit&graph_template_id=" . $_GET["id"]);
++ html_start_box("Graph Template Items " . htmlspecialchars($header_label), "100%", $colors["header"], "3", "center", "graph_templates_items.php?action=item_edit&graph_template_id=" . $_GET["id"]);
+ draw_graph_items_list($template_item_list, "graph_templates_items.php", "graph_template_id=" . $_GET["id"], false);
+ html_end_box();
+
+@@ -326,7 +326,7 @@
+ form_alternate_row_color($colors["alternate"],$colors["light"],$i);
+ ?>
+
+- &graph_template_id=">
++ ">
+
+
+ &graph_template_id=">
+@@ -367,7 +367,7 @@
+ $header_label = "[new]";
+ }
+
+- html_start_box("Template $header_label", "100%", $colors["header"], "3", "center", "");
++ html_start_box("Template " . htmlspecialchars($header_label), "100%", $colors["header"], "3", "center", "");
+
+ draw_edit_form(array(
+ "config" => array(),
+@@ -493,7 +493,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+@@ -558,7 +558,7 @@
+ if (sizeof($template_list) > 0) {
+ foreach ($template_list as $template) {
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $template["id"]);$i++;
+- form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $template["name"]) : $template["name"]) . " ", $template["id"]);
++ form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($template["name"])) : htmlspecialchars($template["name"])) . " ", $template["id"]);
+ form_checkbox_cell($template["name"], $template["id"]);
+ form_end_row();
+ }
+diff -Nur cacti-0.8.7e.base/graph_view.php cacti-0.8.7e.patched/graph_view.php
+--- cacti-0.8.7e.base/graph_view.php 2011-01-24 15:18:35.413381585 -0500
++++ cacti-0.8.7e.patched/graph_view.php 2011-02-01 13:52:03.629382900 -0500
+@@ -326,9 +326,9 @@
+ }
+
+ if (sizeof($hosts) > 0) {
+- foreach ($hosts as $host) {
+- print "" . $host["name"] . " \n";
+- }
++ foreach ($hosts as $host) {
++ print "" . htmlspecialchars($host["name"]) . " \n";
++ }
+ }
+ ?>
+
+@@ -357,9 +357,9 @@
+ }
+
+ if (sizeof($graph_templates) > 0) {
+- foreach ($graph_templates as $template) {
+- print "" . $template["name"] . " \n";
+- }
++ foreach ($graph_templates as $template) {
++ print "" . htmlspecialchars($template["name"]) . " \n";
++ }
+ }
+ ?>
+
+@@ -368,7 +368,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+@@ -689,9 +689,9 @@
+ }
+
+ if (sizeof($hosts) > 0) {
+- foreach ($hosts as $host) {
+- print "" . $host["name"] . " \n";
+- }
++ foreach ($hosts as $host) {
++ print "" . htmlspecialchars($host["name"]) . " \n";
++ }
+ }
+ ?>
+
+@@ -701,7 +701,7 @@
+
+
+
+- selected>Any
++ selected>Any
+ 0) {
+- foreach ($graph_templates as $template) {
+- print "" . $template["name"] . " \n";
+- }
++ foreach ($graph_templates as $template) {
++ print "" . htmlspecialchars($template["name"]) . " \n";
++ }
+ }
+ ?>
+
+@@ -730,7 +730,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+diff -Nur cacti-0.8.7e.base/host.php cacti-0.8.7e.patched/host.php
+--- cacti-0.8.7e.base/host.php 2011-02-01 13:59:36.068881641 -0500
++++ cacti-0.8.7e.patched/host.php 2011-02-01 13:52:03.633382279 -0500
+@@ -325,7 +325,7 @@
+ input_validate_input_number($matches[1]);
+ /* ==================================================== */
+
+- $host_list .= "" . db_fetch_cell("select description from host where id=" . $matches[1]) . " ";
++ $host_list .= " " . htmlspecialchars(db_fetch_cell("select description from host where id=" . $matches[1])) . " ";
+ $host_array[$i] = $matches[1];
+ }
+
+@@ -345,14 +345,14 @@
+ print "
+
+ To enable the following devices, press the \"yes\" button below.
+- $host_list
++
+
+ ";
+ }elseif ($_POST["drp_action"] == "3") { /* Disable Devices */
+ print "
+
+ To disable the following devices, press the \"yes\" button below.
+- $host_list
++
+
+ ";
+ }elseif ($_POST["drp_action"] == "4") { /* change snmp options */
+@@ -360,7 +360,7 @@
+
+ To change SNMP parameters for the following devices, check the box next to the fields
+ you want to update, fill in the new value, and click Save.
+- $host_list
++
+
+ ";
+ $form_array = array();
+@@ -391,7 +391,7 @@
+
+ To change SNMP parameters for the following devices, check the box next to the fields
+ you want to update, fill in the new value, and click Save.
+- $host_list
++
+
+ ";
+ $form_array = array();
+@@ -427,7 +427,7 @@
+ print "
+
+ Are you sure you want to delete the following devices?
+- $host_list
";
++
";
+ form_radio_button("delete_type", "2", "1", "Leave all graphs and data sources untouched. Data sources will be disabled however.", "1"); print " ";
+ form_radio_button("delete_type", "2", "2", "Delete all associated graphs and data sources .", "1"); print " ";
+ print "
+@@ -439,7 +439,7 @@
+
+ When you click save, the following hosts will be placed under the branch selected
+ below.
+- $host_list
++
+ Destination Branch: "; grow_dropdown_tree($matches[1], "tree_item_id", "0"); print "
+
+ \n
+@@ -514,7 +514,7 @@
+
+ if ((read_config_option("deletion_verification") == "on") && (!isset($_GET["confirm"]))) {
+ include("./include/top_header.php");
+- form_confirm("Are You Sure?", "Are you sure you want to delete the host '" . db_fetch_cell("select description from host where id=" . $_GET["id"]) . "' ?", "host.php", "host.php?action=remove&id=" . $_GET["id"]);
++ form_confirm("Are You Sure?", "Are you sure you want to delete the host '" . htmlspecialchars(db_fetch_cell("select description from host where id=" . $_GET["id"])) . "' ?", htmlspecialchars("host.php"), htmlspecialchars("host.php?action=remove&id=" . $_GET["id"]));
+ include("./include/bottom_footer.php");
+ exit;
+ }
+@@ -535,7 +535,7 @@
+
+ if (!empty($_GET["id"])) {
+ $host = db_fetch_row("select * from host where id=" . $_GET["id"]);
+- $header_label = "[edit: " . $host["description"] . "]";
++ $header_label = "[edit: " . htmlspecialchars($host["description"]) . "]";
+ }else{
+ $header_label = "[new]";
+ }
+@@ -545,7 +545,7 @@
+
+
+
+- ()
++ ()
+
+
+
+@@ -986,7 +986,7 @@
+ ?>
+
+
+- )
++ )
+
+
+ Is Being Graphed (Edit )" : "Not Being Graphed ");?>
+@@ -1062,7 +1062,7 @@
+ ?>
+
+
+- )
++ )
+
+
+ (&host_id=">Verbose Query )
+@@ -1205,9 +1205,9 @@
+ $host_templates = db_fetch_assoc("select id,name from host_template order by name");
+
+ if (sizeof($host_templates) > 0) {
+- foreach ($host_templates as $host_template) {
+- print "" . $host_template["name"] . " \n";
+- }
++ foreach ($host_templates as $host_template) {
++ print "" . htmlspecialchars($host_template["name"]) . " \n";
++ }
+ }
+ ?>
+
+@@ -1231,7 +1231,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+ Rows per Page:
+@@ -1241,9 +1241,9 @@
+ selected>Default
+ 0) {
+- foreach ($item_rows as $key => $value) {
+- print "" . $value . " \n";
+- }
++ foreach ($item_rows as $key => $value) {
++ print "" . htmlspecialchars($value) . " \n";
++ }
+ }
+ ?>
+
+@@ -1354,13 +1354,13 @@
+ foreach ($hosts as $host) {
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $host["id"]); $i++;
+ form_selectable_cell("" .
+- (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $host["description"]) : $host["description"]) . " ", $host["id"], 250);
++ (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($host["description"])) : htmlspecialchars($host["description"])) . "", $host["id"], 250);
+ form_selectable_cell(round(($host["id"]), 2), $host["id"]);
+ form_selectable_cell((isset($host_graphs[$host["id"]]) ? $host_graphs[$host["id"]] : 0), $host["id"]);
+ form_selectable_cell((isset($host_data_sources[$host["id"]]) ? $host_data_sources[$host["id"]] : 0), $host["id"]);
+ form_selectable_cell(get_colored_device_status(($host["disabled"] == "on" ? true : false), $host["status"]), $host["id"]);
+ form_selectable_cell(round(($host["status_event_count"]), 2), $host["id"]);
+- form_selectable_cell((strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $host["hostname"]) : $host["hostname"]), $host["id"]);
++ form_selectable_cell((strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($host["hostname"])) : htmlspecialchars($host["hostname"])), $host["id"]);
+ form_selectable_cell(round(($host["cur_time"]), 2), $host["id"]);
+ form_selectable_cell(round(($host["avg_time"]), 2), $host["id"]);
+ form_selectable_cell(round($host["availability"], 2), $host["id"]);
+diff -Nur cacti-0.8.7e.base/host_templates.php cacti-0.8.7e.patched/host_templates.php
+--- cacti-0.8.7e.base/host_templates.php 2011-01-24 15:18:35.089370745 -0500
++++ cacti-0.8.7e.patched/host_templates.php 2011-02-01 13:52:03.648869205 -0500
+@@ -252,7 +252,7 @@
+ $_GET["id"] = 0;
+ }
+
+- html_start_box("Host Templates $header_label", "100%", $colors["header"], "3", "center", "");
++ html_start_box("Host Templates " . htmlspecialchars($header_label), "100%", $colors["header"], "3", "center", "");
+
+ draw_edit_form(array(
+ "config" => array(),
+@@ -279,7 +279,7 @@
+ ?>
+
+
+- )
++ )
+
+
+
+@@ -329,7 +329,7 @@
+ ?>
+
+
+- )
++ )
+
+
+
+@@ -421,7 +421,7 @@
+ Search:
+
+
+- ">
++ ">
+
+
+
+@@ -487,7 +487,7 @@
+ if (sizeof($template_list) > 0) {
+ foreach ($template_list as $template) {
+ form_alternate_row_color($colors["alternate"], $colors["light"], $i, 'line' . $template["id"]);$i++;
+- form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", $template["name"]) : $template["name"]) . " ", $template["id"]);
++ form_selectable_cell("" . (strlen(get_request_var_request("filter")) ? eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1 ", htmlspecialchars($template["name"])) : htmlspecialchars($template["name"])) . " ", $template["id"]);
+ form_checkbox_cell($template["name"], $template["id"]);
+ form_end_row();
+ }
+diff -Nur cacti-0.8.7e.base/include/top_graph_header.php cacti-0.8.7e.patched/include/top_graph_header.php
+--- cacti-0.8.7e.base/include/top_graph_header.php 2011-02-01 13:59:35.920869376 -0500
++++ cacti-0.8.7e.patched/include/top_graph_header.php 2011-02-01 13:52:03.561370824 -0500
+@@ -27,6 +27,8 @@
+
+ /* ================= input validation ================= */
+ input_validate_input_number(get_request_var_request("local_graph_id"));
++input_validate_input_number(get_request_var_request("graph_start"));
++input_validate_input_number(get_request_var_request("graph_end"));
+ /* ==================================================== */
+
+ if (read_config_option("auth_method") != 0) {
+@@ -128,15 +130,15 @@
+
+ /* override: graph start time (unix time) */
+ if (!empty($_GET["graph_start"])) {
+- $graph_data_array["graph_start"] = $_GET["graph_start"];
++ $graph_data_array["graph_start"] = get_request_var_request("graph_start");
+ }
+
+ /* override: graph end time (unix time) */
+ if (!empty($_GET["graph_end"])) {
+- $graph_data_array["graph_end"] = $_GET["graph_end"];
++ $graph_data_array["graph_end"] = get_request_var_request("graph_end");
+ }
+
+- print trim(rrdtool_function_graph($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array));
++ print trim(@rrdtool_function_graph(get_request_var_request("local_graph_id"), get_request_var_request("rra_id"), $graph_data_array));
+ ?>
+
+
+diff -Nur cacti-0.8.7e.base/lib/functions.php cacti-0.8.7e.patched/lib/functions.php
+--- cacti-0.8.7e.base/lib/functions.php 2011-01-24 15:18:35.221369622 -0500
++++ cacti-0.8.7e.patched/lib/functions.php 2011-02-01 13:52:03.565370802 -0500
+@@ -1762,15 +1762,18 @@
+ if ($current_mappings[$i] == "?") {
+ /* '?' tells us to pull title from the cache at this level */
+ if (isset($nav_level_cache{$i})) {
+- $current_nav .= (empty($url) ? "" : "") . resolve_navigation_variables($nav{$nav_level_cache{$i}["id"]}["title"]) . (empty($url) ? "" : " ") . " -> ";
++ $current_nav .= (empty($url) ? "" : "") . htmlspecialchars(resolve_navigation_variables($nav{$nav_level_cache{$i}["id"]}["title"])) . (empty($url) ? "" : " ") . " -> ";
++ $title .= htmlspecialchars(resolve_navigation_variables($nav{$nav_level_cache{$i}["id"]}["title"])) . " -> ";
+ }
+ }else{
+ /* there is no '?' - pull from the above array */
+- $current_nav .= (empty($url) ? "" : "") . resolve_navigation_variables($nav{$current_mappings[$i]}["title"]) . (empty($url) ? "" : " ") . " -> ";
++ $current_nav .= (empty($url) ? "" : "") . htmlspecialchars(resolve_navigation_variables($nav{$current_mappings[$i]}["title"])) . (empty($url) ? "" : " ") . " -> ";
++ $title .= htmlspecialchars(resolve_navigation_variables($nav{$current_mappings[$i]}["title"])) . " -> ";
+ }
+ }
+
+- $current_nav .= resolve_navigation_variables($current_array["title"]);
++ $current_nav .= htmlspecialchars(resolve_navigation_variables($current_array["title"]));
++ $title .= htmlspecialchars(resolve_navigation_variables($current_array["title"]));
+
+ /* keep a cache for each level we encounter */
+ $nav_level_cache{$current_array["level"]} = array("id" => $current_page . ":" . $current_action, "url" => get_browser_query_string());
+diff -Nur cacti-0.8.7e.base/lib/html_form.php cacti-0.8.7e.patched/lib/html_form.php
+--- cacti-0.8.7e.base/lib/html_form.php 2011-02-01 13:59:36.096871163 -0500
++++ cacti-0.8.7e.patched/lib/html_form.php 2011-02-01 13:52:03.565370802 -0500
+@@ -65,7 +65,7 @@
+ form_alternate_row_color($colors["form_alternate1"], $colors["form_alternate2"], $i, 'row_' . $field_name);
+ }
+
+- print "\n" . $field_array["friendly_name"] . " \n";
++ print " \n" . htmlspecialchars($field_array["friendly_name"]) . " \n";
+
+ if (isset($field_array["sub_checkbox"])) {
+ form_checkbox($field_array["sub_checkbox"]["name"], $field_array["sub_checkbox"]["value"],
+@@ -432,7 +432,7 @@
+ $on_change = " onChange='$on_change' ";
+ }
+
+- print "";
++ print "";
+
+ if (!empty($form_none_entry)) {
+ print "$form_none_entry \n";
+diff -Nur cacti-0.8.7e.base/lib/html_form_template.php cacti-0.8.7e.patched/lib/html_form_template.php
+--- cacti-0.8.7e.base/lib/html_form_template.php 2011-01-24 15:18:35.141370916 -0500
++++ cacti-0.8.7e.patched/lib/html_form_template.php 2011-02-01 13:52:03.569371102 -0500
+@@ -307,79 +307,79 @@
+ }
+
+ if (sizeof($values_array) > 0) {
+- foreach ($values_array as $rrd) {
+- reset($struct_data_source_item);
+- $form_array = array();
+-
+- /* if the user specifies a title, we only want to draw that. if not, we should create our
+- own title for each data source item */
+- if ($draw_title_for_each_item == true) {
+- $draw_any_items = false;
+- }
++ foreach ($values_array as $rrd) {
++ reset($struct_data_source_item);
++ $form_array = array();
+
+- if (empty($rrd["local_data_id"])) { /* this is a template */
+- $data_template_rrd = $rrd;
+- }else{ /* this is not a template */
+- $data_template_rrd = db_fetch_row("select * from data_template_rrd where id=" . $rrd["local_data_template_rrd_id"]);
+- }
++ /* if the user specifies a title, we only want to draw that. if not, we should create our
++ own title for each data source item */
++ if ($draw_title_for_each_item == true) {
++ $draw_any_items = false;
++ }
+
+- while (list($field_name, $field_array) = each($struct_data_source_item)) {
+- /* find our field name */
+- $form_field_name = str_replace("|field|", $field_name, $field_name_format);
+- $form_field_name = str_replace("|id|", $rrd["id"], $form_field_name);
++ if (empty($rrd["local_data_id"])) { /* this is a template */
++ $data_template_rrd = $rrd;
++ }else{ /* this is not a template */
++ $data_template_rrd = db_fetch_row("select * from data_template_rrd where id=" . $rrd["local_data_template_rrd_id"]);
++ }
+
+- $form_array += array($form_field_name => $struct_data_source_item[$field_name]);
++ while (list($field_name, $field_array) = each($struct_data_source_item)) {
++ /* find our field name */
++ $form_field_name = str_replace("|field|", $field_name, $field_name_format);
++ $form_field_name = str_replace("|id|", $rrd["id"], $form_field_name);
+
+- /* modifications to the default form array */
+- $form_array[$form_field_name]["value"] = (isset($rrd[$field_name]) ? $rrd[$field_name] : "");
+- $form_array[$form_field_name]["form_id"] = (isset($rrd["id"]) ? $rrd["id"] : "0");
+- unset($form_array[$form_field_name]["default"]);
++ $form_array += array($form_field_name => $struct_data_source_item[$field_name]);
+
+- /* append the data source item name so the user will recognize it */
+- if ($draw_title_for_each_item == false) {
+- $form_array[$form_field_name]["friendly_name"] .= " [" . $rrd["data_source_name"] . "]";
+- }
++ /* modifications to the default form array */
++ $form_array[$form_field_name]["value"] = (isset($rrd[$field_name]) ? $rrd[$field_name] : "");
++ $form_array[$form_field_name]["form_id"] = (isset($rrd["id"]) ? $rrd["id"] : "0");
++ unset($form_array[$form_field_name]["default"]);
+
+- if ($data_template_rrd{"t_" . $field_name} != "on") {
+- if ($include_hidden_fields == true) {
+- $form_array[$form_field_name]["method"] = "hidden";
+- }else{
+- unset($form_array[$form_field_name]);
+- }
+- }elseif ((!empty($snmp_query_graph_id)) && (sizeof(db_fetch_assoc("select id from snmp_query_graph_rrd_sv where snmp_query_graph_id=$snmp_query_graph_id and data_template_id=$data_template_id and field_name='$field_name'")) > 0)) {
+- if ($include_hidden_fields == true) {
+- $form_array[$form_field_name]["method"] = "hidden";
+- }else{
+- unset($form_array[$form_field_name]);
+- }
+- }else{
+- if (($draw_any_items == false) && ($draw_title_for_each_item == false) && ($header_title != "")) {
+- print "$header_title \n";
+- }elseif (($draw_any_items == false) && ($draw_title_for_each_item == true) && ($header_title != "")) {
+- print "$header_title [" . $rrd["data_source_name"] . "] \n";
++ /* append the data source item name so the user will recognize it */
++ if ($draw_title_for_each_item == false) {
++ $form_array[$form_field_name]["friendly_name"] .= " [" . $rrd["data_source_name"] . "]";
+ }
+
+- $draw_any_items = true;
+-
+- /* if the "Output field" appears here among the non-templated fields, the
+- valid choices for the drop-down box must be fetched from the associated
+- data input method */
+- if ($field_name == "data_input_field_id") {
+- $data_input_id = db_fetch_cell("select data_input_id from data_template_data where data_template_id=".$rrd["data_template_id"]." and local_data_id=0");
+- $form_array[$form_field_name]["sql"] = "select id,CONCAT(data_name,' - ',name) as name from data_input_fields where data_input_id=".$data_input_id." and input_output='out' and update_rra='on' order by data_name,name";
++ if ($data_template_rrd{"t_" . $field_name} != "on") {
++ if ($include_hidden_fields == true) {
++ $form_array[$form_field_name]["method"] = "hidden";
++ }else{
++ unset($form_array[$form_field_name]);
++ }
++ }elseif ((!empty($snmp_query_graph_id)) && (sizeof(db_fetch_assoc("select id from snmp_query_graph_rrd_sv where snmp_query_graph_id=$snmp_query_graph_id and data_template_id=$data_template_id and field_name='$field_name'")) > 0)) {
++ if ($include_hidden_fields == true) {
++ $form_array[$form_field_name]["method"] = "hidden";
++ }else{
++ unset($form_array[$form_field_name]);
++ }
++ }else{
++ if (($draw_any_items == false) && ($draw_title_for_each_item == false) && ($header_title != "")) {
++ print "$header_title \n";
++ }elseif (($draw_any_items == false) && ($draw_title_for_each_item == true) && ($header_title != "")) {
++ print "$header_title [" . $rrd["data_source_name"] . "] \n";
++ }
++
++ $draw_any_items = true;
++
++ /* if the "Output field" appears here among the non-templated fields, the
++ valid choices for the drop-down box must be fetched from the associated
++ data input method */
++ if ($field_name == "data_input_field_id") {
++ $data_input_id = db_fetch_cell("select data_input_id from data_template_data where data_template_id=".$rrd["data_template_id"]." and local_data_id=0");
++ $form_array[$form_field_name]["sql"] = "select id,CONCAT(data_name,' - ',name) as name from data_input_fields where data_input_id=".$data_input_id." and input_output='out' and update_rra='on' order by data_name,name";
++ }
+ }
+ }
+- }
+
+- draw_edit_form(
+- array(
+- "config" => $form_config_array,
+- "fields" => $form_array
+- )
+- );
++ draw_edit_form(
++ array(
++ "config" => $form_config_array,
++ "fields" => $form_array
++ )
++ );
+
+- $num_fields_drawn += sizeof($form_array);
+- }
++ $num_fields_drawn += sizeof($form_array);
++ }
+ }
+
+ return $num_fields_drawn;
+@@ -414,61 +414,61 @@
+ /* loop through each field found */
+ $i = 0;
+ if (sizeof($fields) > 0) {
+- foreach ($fields as $field) {
+- $data_input_data = db_fetch_row("select * from data_input_data where data_template_data_id=" . $data["id"] . " and data_input_field_id=" . $field["id"]);
+-
+- if (sizeof($data_input_data) > 0) {
+- $old_value = $data_input_data["value"];
+- }else{
+- $old_value = "";
+- }
+-
+- /* if data template then get t_value from template, else always allow user input */
+- if (empty($data["data_template_id"])) {
+- $can_template = "on";
+- }else{
+- $can_template = db_fetch_cell("select t_value from data_input_data where data_template_data_id=" . $template_data["id"] . " and data_input_field_id=" . $field["id"]);
+- }
+-
+- /* find our field name */
+- $form_field_name = str_replace("|id|", $field["id"], $field_name_format);
++ foreach ($fields as $field) {
++ $data_input_data = db_fetch_row("select * from data_input_data where data_template_data_id=" . $data["id"] . " and data_input_field_id=" . $field["id"]);
+
+- if ((!empty($host_id)) && (eregi('^' . VALID_HOST_FIELDS . '$', $field["type_code"])) && (empty($can_template))) { /* no host fields */
+- if ($include_hidden_fields == true) {
+- form_hidden_box($form_field_name, $old_value, "");
+- }
+- }elseif ((!empty($snmp_query_id)) && (eregi('^(index_type|index_value|output_type)$', $field["type_code"]))) { /* no data query fields */
+- if ($include_hidden_fields == true) {
+- form_hidden_box($form_field_name, $old_value, "");
+- }
+- }elseif (empty($can_template)) { /* no templated fields */
+- if ($include_hidden_fields == true) {
+- form_hidden_box($form_field_name, $old_value, "");
+- }
+- }else{
+- if (($draw_any_items == false) && ($header_title != "")) {
+- print "$header_title \n";
++ if (sizeof($data_input_data) > 0) {
++ $old_value = $data_input_data["value"];
++ }else{
++ $old_value = "";
+ }
+
+- if ($alternate_colors == true) {
+- form_alternate_row_color($colors["form_alternate1"],$colors["form_alternate2"],$i);
++ /* if data template then get t_value from template, else always allow user input */
++ if (empty($data["data_template_id"])) {
++ $can_template = "on";
+ }else{
+- print "\n";
++ $can_template = db_fetch_cell("select t_value from data_input_data where data_template_data_id=" . $template_data["id"] . " and data_input_field_id=" . $field["id"]);
+ }
+
+- print "" . $field["name"] . " \n";
+- print "";
++ /* find our field name */
++ $form_field_name = str_replace("|id|", $field["id"], $field_name_format);
++
++ if ((!empty($host_id)) && (eregi('^' . VALID_HOST_FIELDS . '$', $field["type_code"])) && (empty($can_template))) { /* no host fields */
++ if ($include_hidden_fields == true) {
++ form_hidden_box($form_field_name, $old_value, "");
++ }
++ }elseif ((!empty($snmp_query_id)) && (eregi('^(index_type|index_value|output_type)$', $field["type_code"]))) { /* no data query fields */
++ if ($include_hidden_fields == true) {
++ form_hidden_box($form_field_name, $old_value, "");
++ }
++ }elseif (empty($can_template)) { /* no templated fields */
++ if ($include_hidden_fields == true) {
++ form_hidden_box($form_field_name, $old_value, "");
++ }
++ }else{
++ if (($draw_any_items == false) && ($header_title != "")) {
++ print " $header_title \n";
++ }
++
++ if ($alternate_colors == true) {
++ form_alternate_row_color($colors["form_alternate1"],$colors["form_alternate2"],$i);
++ }else{
++ print "\n";
++ }
++
++ print "" . $field["name"] . " \n";
++ print "";
+
+- draw_custom_data_row($form_field_name, $field["id"], $data["id"], $old_value);
++ draw_custom_data_row($form_field_name, $field["id"], $data["id"], $old_value);
+
+- print " ";
+- print " \n";
++ print " ";
++ print "\n";
+
+- $draw_any_items = true;
+- $i++;
++ $draw_any_items = true;
++ $i++;
++ }
+ }
+ }
+- }
+
+ return $i;
+ }
+diff -Nur cacti-0.8.7e.base/lib/html.php cacti-0.8.7e.patched/lib/html.php
+--- cacti-0.8.7e.base/lib/html.php 2011-01-24 15:18:35.169381809 -0500
++++ cacti-0.8.7e.patched/lib/html.php 2011-02-01 13:52:03.573370897 -0500
+@@ -109,7 +109,7 @@
+ if ($print) {
+ print "
+
+ ";
+ }
+@@ -127,7 +127,7 @@
+ }
+
+ if ($print) {
+- print " ";
++ print " ";
+ }
+ print "
+