Fix XSS vulnerability, when import is using a file upload without a valid LDIF. Also fixes #250 and closes #251

Author: leenooks

htdocs/import.php

@@ -103,7 +103,7 @@ function display_pla_parse_error($request) {
 	printf('<tr><td colspan=2><b>%s</b>:</td></tr>',_('Data'));
 
 	foreach ($request->error['data'] as $line)
-		printf('<tr><td>&nbsp;</td><td>%s</td></tr>',$line);
+		printf('<tr><td>&nbsp;</td><td>%s</td></tr>',htmlspecialchars($line));
 
 	echo '</table>';
 	echo '</center>';

lib/Template.php

@@ -660,6 +660,8 @@ public function getDN() {
 		# If container is not set, we're probably creating the base
 		elseif ($this->getRDN() && get_request('create_base'))
 			return $this->getRDN();
+
+		return '';
 	}
 
 	public function getDNEncode($url=true) {

lib/import_functions.php

@@ -175,7 +175,9 @@ public function readEntry() {
 					return $this->error(sprintf('%s %s',_('LDIF import only suppports version 1'),$version),$lines);
 
 				$haveVersion = true;
-				$lines = $this->nextLines();
+
+				if (! $lines)
+					$lines = $this->nextLines();
 			}
 
 			$server = $this->getServer();