Security fixes and schema cleanup
- Fix SQL injection in displayprofile.asp (parameterized query) - Add HTMLEncode to XSS-vulnerable output in 5 display pages - Add Option Explicit to computers.asp, displaymachines.asp, displaypcs.asp, displayapplication.asp, displayprofile.asp - Update STANDARDS.md with test script reference, secrets management, column naming gotchas - Fix equipment type ranges in CLAUDE.md and QUICK_REFERENCE.md (1-15, 21-25) - Add migration SQL to cleanup redundant PC machinetypes (34-46) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -1,3 +1,8 @@
|
||||
<%@ Language=VBScript %>
|
||||
<%
|
||||
Option Explicit
|
||||
Dim theme, strSQL, rs, displayName, uptimeDays, hasVnc, hasWinrm, vncHost, objConn
|
||||
%>
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
@@ -6,7 +11,7 @@
|
||||
</head>
|
||||
|
||||
<%
|
||||
' displaypcs.asp - PC List Page (Phase 2 Schema) - Last Updated: 20251110-1440
|
||||
' displaypcs.asp - PC List Page (Phase 2 Schema)
|
||||
theme = Request.Cookies("theme")
|
||||
IF theme = "" THEN
|
||||
theme="bg-theme1"
|
||||
@@ -148,7 +153,6 @@ Set rsStatus = Nothing
|
||||
<%
|
||||
' Build query based on filters
|
||||
Dim pcStatusFilter, winrmFilterSQL, deviceTypeFilterSQL, pcTypeFilterSQL, uptimeFilterSQL, needsRelationshipFilter, whereClause
|
||||
Dim displayName, hasVnc, vncHost, hasWinrm, uptimeDays
|
||||
pcStatusFilter = Request.QueryString("pcstatus")
|
||||
winrmFilterSQL = Request.QueryString("winrm")
|
||||
deviceTypeFilterSQL = Request.QueryString("devicetype")
|
||||
@@ -221,17 +225,17 @@ Set rsStatus = Nothing
|
||||
|
||||
%>
|
||||
<tr>
|
||||
<td><a href="./displaypc.asp?machineid=<%Response.Write(rs("machineid"))%>" title="Click to Show PC Details"><%
|
||||
<td><a href="./displaypc.asp?machineid=<%=rs("machineid")%>" title="Click to Show PC Details"><%
|
||||
If IsNull(rs("hostname")) Or rs("hostname") = "" Then
|
||||
displayName = rs("serialnumber")
|
||||
displayName = rs("serialnumber") & ""
|
||||
Else
|
||||
displayName = rs("hostname")
|
||||
displayName = rs("hostname") & ""
|
||||
End If
|
||||
Response.Write(displayName)
|
||||
Response.Write(Server.HTMLEncode(displayName))
|
||||
%></a></td>
|
||||
<td><%Response.Write(rs("serialnumber"))%></td>
|
||||
<td><%Response.Write(rs("modelnumber"))%></td>
|
||||
<td><%Response.Write(rs("operatingsystem"))%></td>
|
||||
<td><%=Server.HTMLEncode(rs("serialnumber") & "")%></td>
|
||||
<td><%=Server.HTMLEncode(rs("modelnumber") & "")%></td>
|
||||
<td><%=Server.HTMLEncode(rs("operatingsystem") & "")%></td>
|
||||
<td><%
|
||||
' Equipment relationship column
|
||||
If Not IsNull(rs("equipment_id")) And rs("equipment_id") <> "" Then
|
||||
|
||||
Reference in New Issue
Block a user