Security fixes and schema cleanup

- Fix SQL injection in displayprofile.asp (parameterized query) - Add HTMLEncode to XSS-vulnerable output in 5 display pages - Add Option Explicit to computers.asp, displaymachines.asp, displaypcs.asp, displayapplication.asp, displayprofile.asp - Update STANDARDS.md with test script reference, secrets management, column naming gotchas - Fix equipment type ranges in CLAUDE.md and QUICK_REFERENCE.md (1-15, 21-25) - Add migration SQL to cleanup redundant PC machinetypes (34-46) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 07:22:16 -05:00
parent 693789138d
commit e0d89f9957
9 changed files with 258 additions and 57 deletions
--- a/displaymachines.asp
+++ b/displaymachines.asp
@@ -1,3 +1,8 @@
+<%@ Language=VBScript %>
+<%
+Option Explicit
+Dim theme, strSQL, rs, objConn
+%>
 <!DOCTYPE html>
 <html lang="en">
 <head>
@@ -105,21 +110,21 @@
 			Response.write("<tr>")
 %>
                    <td>
-                        <span class="location-link" data-machineid="<%Response.Write(rs("machineid"))%>" style="cursor:pointer;">
+                        <span class="location-link" data-machineid="<%=rs("machineid")%>" style="cursor:pointer;">
                            <i class="zmdi zmdi-pin"></i>
                        </span>
                    </td>
-                    <td><a href="./displaymachine.asp?machineid=<%Response.Write(rs("machineid"))%>" title="View Machine Details"><%
+                    <td><a href="./displaymachine.asp?machineid=<%=rs("machineid")%>" title="View Machine Details"><%
 					Dim displayName
 					displayName = rs("machinenumber") & ""
 					If displayName = "" Then displayName = rs("hostname") & ""
 					If displayName = "" Then displayName = "ID:" & rs("machineid")
 					Response.Write(Server.HTMLEncode(displayName))
 					%></a></td>
-                    <td><%Response.Write(rs("machinetype"))%></td>
-                    <td><%Response.Write(rs("vendor"))%></td>
-                    <td><%Response.Write(rs("modelnumber"))%></a></td>
-                    <td><%Response.Write(rs("businessunit"))%></td>
+                    <td><%=Server.HTMLEncode(rs("machinetype") & "")%></td>
+                    <td><%=Server.HTMLEncode(rs("vendor") & "")%></td>
+                    <td><%=Server.HTMLEncode(rs("modelnumber") & "")%></td>
+                    <td><%=Server.HTMLEncode(rs("businessunit") & "")%></td>
 
                  </tr>