Security fixes and schema cleanup

- Fix SQL injection in displayprofile.asp (parameterized query) - Add HTMLEncode to XSS-vulnerable output in 5 display pages - Add Option Explicit to computers.asp, displaymachines.asp, displaypcs.asp, displayapplication.asp, displayprofile.asp - Update STANDARDS.md with test script reference, secrets management, column naming gotchas - Fix equipment type ranges in CLAUDE.md and QUICK_REFERENCE.md (1-15, 21-25) - Add migration SQL to cleanup redundant PC machinetypes (34-46) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 07:22:16 -05:00
parent 693789138d
commit e0d89f9957
9 changed files with 258 additions and 57 deletions
--- a/computers.asp
+++ b/computers.asp
@@ -1,3 +1,8 @@
+<%@ Language=VBScript %>
+<%
+Option Explicit
+Dim theme, strSQL, rs, objConn
+%>
 <!DOCTYPE html>
 <html lang="en">
 <head>
@@ -6,7 +11,6 @@
 </head>

 <%
-	' Force IIS recompile - timestamp: 20251110-143600
 	theme = Request.Cookies("theme")
 	IF theme = "" THEN
 		theme="bg-theme1"
@@ -61,7 +65,7 @@ While Not rsTypes.EOF
    If CStr(rsTypes("pctypeid")) = CStr(currentPCType) Then
        selectedAttr = " selected"
    End If
-    Response.Write "<option value=""" & rsTypes("pctypeid") & """" & selectedAttr & ">" & rsTypes("typename") & "</option>" & vbCrLf
+    Response.Write "<option value=""" & rsTypes("pctypeid") & """" & selectedAttr & ">" & Server.HTMLEncode(rsTypes("typename") & "") & "</option>" & vbCrLf
    rsTypes.MoveNext
 Wend
 rsTypes.Close
@@ -77,7 +81,7 @@ While Not rsStatus.EOF
    If CStr(rsStatus("machinestatusid")) = CStr(currentPCStatus) Then
        selectedAttr = " selected"
    End If
-    Response.Write "<option value=""" & rsStatus("machinestatusid") & """" & selectedAttr & ">" & rsStatus("machinestatus") & "</option>" & vbCrLf
+    Response.Write "<option value=""" & rsStatus("machinestatusid") & """" & selectedAttr & ">" & Server.HTMLEncode(rsStatus("machinestatus") & "") & "</option>" & vbCrLf
    rsStatus.MoveNext
 Wend
 rsStatus.Close
@@ -162,20 +166,20 @@ Set rsStatus = Nothing
 	while not rs.eof

 %>
-                    <td><a href="./displaypc.asp?machineid=<%Response.Write(rs("machineid"))%>" title="Click to Show PC Details"><%
+                    <td><a href="./displaypc.asp?machineid=<%=rs("machineid")%>" title="Click to Show PC Details"><%
 						Dim displayName
 						If IsNull(rs("hostname")) Or rs("hostname") = "" Then
-							displayName = rs("serialnumber")
+							displayName = rs("serialnumber") & ""
 						Else
-							displayName = rs("hostname")
+							displayName = rs("hostname") & ""
 						End If
-						Response.Write(displayName)
+						Response.Write(Server.HTMLEncode(displayName))
 					%></a></td>
-                    <td><%Response.Write(rs("serialnumber"))%></td>
-                    <td><%Response.Write(rs("ipaddress"))%></td>
-                    <td><%Response.Write(rs("modelnumber"))%></td>
-                    <td><%Response.Write(rs("operatingsystem"))%></td>
-                    <td><a href="./search.asp?search=<%Response.Write(rs("machinenumber"))%>" title="Click to Show Machine Details"><%Response.Write(rs("machinenumber"))%></td>
+                    <td><%=Server.HTMLEncode(rs("serialnumber") & "")%></td>
+                    <td><%=Server.HTMLEncode(rs("ipaddress") & "")%></td>
+                    <td><%=Server.HTMLEncode(rs("modelnumber") & "")%></td>
+                    <td><%=Server.HTMLEncode(rs("operatingsystem") & "")%></td>
+                    <td><a href="./search.asp?search=<%=Server.URLEncode(rs("machinenumber") & "")%>" title="Click to Show Machine Details"><%=Server.HTMLEncode(rs("machinenumber") & "")%></a></td>
                  </tr>

 <%