web/common: escape validate_input regex before sending to js

razvancrainea · razvancrainea · commit 76747e7a6efb · 2025-08-21T10:23:51.000+03:00
diff --git a/web/common/forms.php b/web/common/forms.php
@@ -290,7 +290,7 @@ function form_generate_input_textarea($title,$tip,$id,$opt,$val,$mlen=null,$re=n
 	else
 		$maxlen = "";
 
-	$validate=" opt='".$opt."' oninput='auto_grow(this);validate_input(\"".$id."\", \"".$id."_ok\",".($re?"\"".$re."\"":"null").",".$validation.",\"".$json_format."\")'";
+	$validate=" opt='".$opt."' oninput='auto_grow(this);validate_input(\"".$id."\", \"".$id."_ok\",".($re?"\"".preg_quote($re, '/')."\"":"null").",".$validation.",\"".$json_format."\")'";
 	$pixelNo = substr_count($val, "\n") * 16 + 35;
 
 	
@@ -324,7 +324,7 @@ function form_generate_input_text($title,$tip,$id,$opt,$val,$mlen,$re, $validati
 	else 
 		$value = "";
 
-	$validate=" opt='".$opt."' oninput='validate_input(\"".$id."\", \"".$id."_ok\",".($re?"\"".$re."\"":"null").",".($validation?$validation:"null").",\"".$format."\")'";
+	$validate=" opt='".$opt."' oninput='validate_input(\"".$id."\", \"".$id."_ok\",".($re?"\"".preg_quote($re, '/')."\"":"null").",".($validation?$validation:"null").",\"".$format."\")'";
 
 	print("
 		<tr>
diff --git a/web/common/tools/tviewer/template/tviewer.add.php b/web/common/tools/tviewer/template/tviewer.add.php
@@ -47,7 +47,7 @@
 						<?php if (!isset($value['validation_regex']))
 							$regex = "null";
 						else
-							$regex = '"'.$value['validation_regex'].'"';
+							$regex = '"'.preg_quote($value['validation_regex'], '/').'"';
 						$opt = isset($value['is_optional'])?$value['is_optional']:"y";
 						$validate=" opt='".$opt."' oninput='validate_input(\"".$key."\", \"".$key."_ok\",".$regex.")'";
 						?>
diff --git a/web/common/tools/tviewer/template/tviewer.edit.php b/web/common/tools/tviewer/template/tviewer.edit.php
@@ -60,7 +60,7 @@
 						<?php if (!isset($value['validation_regex']))
 							$regex = "null";
 						else
-							$regex = '"'.$value['validation_regex'].'"';
+							$regex = '"'.preg_quote($value['validation_regex'], '/').'"';
 						$opt = isset($value['is_optional'])?$value['is_optional']:"y";
 						$validate=" opt='".$opt."' valid='ok' oninput='validate_input(\"".$key."\", \"".$key."_ok\",".$regex.")'";
 						?>
