Cacti · somethingwithproof · Apr 9, 2026 · Apr 9, 2026 · Apr 10, 2026 · Apr 10, 2026
diff --git a/.gitignore b/.gitignore
@@ -21,3 +21,4 @@
 
 locales/po/*.mo
 vendor/
+.omc/
diff --git a/db_functions.php b/db_functions.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+

diff --git a/images/index.php b/images/index.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+

diff --git a/index.php b/index.php
@@ -1,5 +1,7 @@
 <?php
 
+declare(strict_types=1);
+
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/locales/LC_MESSAGES/index.php b/locales/LC_MESSAGES/index.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+

diff --git a/locales/index.php b/locales/index.php
@@ -1,5 +1,7 @@
 <?php
 
+declare(strict_types=1);
+
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/monitor.php b/monitor.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+

diff --git a/monitor_controller.php b/monitor_controller.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+
@@ -450,7 +451,7 @@ function monitorRenderPrimaryFilterRow(array $dashboards, array $monitor_status,
 	}
 
 	print '<input type="button" value="' . (get_request_var('mute') == 'false' ? getMuteText() : getUnmuteText()) . '" id="sound" title="' . (get_request_var('mute') == 'false' ? __('%s Alert for downed Devices', getMuteText(), 'monitor') : __('%s Alerts for downed Devices', getUnmuteText(), 'monitor')) . '">' . PHP_EOL;
-	print '<input id="downhosts" type="hidden" value="' . get_request_var('downhosts') . '"><input id="mute" type="hidden" value="' . get_request_var('mute') . '">' . PHP_EOL;
+	print '<input id="downhosts" type="hidden" value="' . html_escape(get_request_var('downhosts')) . '"><input id="mute" type="hidden" value="' . html_escape(get_request_var('mute')) . '">' . PHP_EOL;
 	print '</span></td>';
 }
 
@@ -548,23 +549,23 @@ function monitorRenderGroupingDropdowns(array $classes, array $criticalities, ar
  */
 function monitorRenderHiddenFilterInputs(): void {
 	if (get_request_var('grouping') != 'tree') {
-		print '<td><input type="hidden" id="tree" value="' . get_request_var('tree') . '"></td>' . PHP_EOL;
+		print '<td><input type="hidden" id="tree" value="' . html_escape(get_request_var('tree')) . '"></td>' . PHP_EOL;
 	}
 
 	if (get_request_var('grouping') != 'site') {
-		print '<td><input type="hidden" id="site" value="' . get_request_var('site') . '"></td>' . PHP_EOL;
+		print '<td><input type="hidden" id="site" value="' . html_escape(get_request_var('site')) . '"></td>' . PHP_EOL;
 	}
 
 	if (get_request_var('grouping') != 'template') {
-		print '<td><input type="hidden" id="template" value="' . get_request_var('template') . '"></td>' . PHP_EOL;
+		print '<td><input type="hidden" id="template" value="' . html_escape(get_request_var('template')) . '"></td>' . PHP_EOL;
 	}
 
 	if (get_request_var('view') == 'list') {
-		print '<td><input type="hidden" id="size" value="' . get_request_var('size') . '"></td>' . PHP_EOL;
+		print '<td><input type="hidden" id="size" value="' . html_escape(get_request_var('size')) . '"></td>' . PHP_EOL;
 	}
 
 	if (get_request_var('view') != 'default') {
-		print '<td><input type="hidden" id="trim" value="' . get_request_var('trim') . '"></td>' . PHP_EOL;
+		print '<td><input type="hidden" id="trim" value="' . html_escape(get_request_var('trim')) . '"></td>' . PHP_EOL;
 	}
 }
 

diff --git a/monitor_render.php b/monitor_render.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+
@@ -962,7 +963,7 @@ function renderHeaderList(int $total_rows = 0, int $rows = 0): string {
 
 	ob_start();
 
-	$nav = html_nav_bar('monitor.php?rfilter=' . get_request_var('rfilter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main');
+	$nav = html_nav_bar('monitor.php?rfilter=' . rawurlencode(get_request_var('rfilter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main');
 
 	html_start_box(__('Monitored Devices', 'monitor'), '100%', false, 3, 'center', '');
 
@@ -1042,7 +1043,7 @@ function renderFooterList(int $total_rows, int $rows): string {
 	html_end_box(false);
 
 	if ($total_rows > 0) {
-		$nav = html_nav_bar('monitor.php?rfilter=' . get_request_var('rfilter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main');
+		$nav = html_nav_bar('monitor.php?rfilter=' . rawurlencode(get_request_var('rfilter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main');
 
 		print $nav;
 	}

diff --git a/poller_functions.php b/poller_functions.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+

diff --git a/poller_monitor.php b/poller_monitor.php
@@ -1,6 +1,7 @@
 <?php
 
-declare(strict_types = 1);
+declare(strict_types=1);
+
 
 /*
  +-------------------------------------------------------------------------+

diff --git a/setup.php b/setup.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/sounds/index.php b/sounds/index.php
@@ -1,5 +1,7 @@
 <?php
 
+declare(strict_types=1);
+
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/tests/Integration/test_monitor_request_output_wiring.php b/tests/Integration/test_monitor_request_output_wiring.php
@@ -0,0 +1,41 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$checks = array(
+	__DIR__ . '/../../monitor_controller.php' => array(
+		"html_escape(get_request_var('downhosts'))",
+		"html_escape(get_request_var('mute'))",
+		"html_escape(get_request_var('tree'))",
+		"html_escape(get_request_var('site'))",
+		"html_escape(get_request_var('template'))",
+		"html_escape(get_request_var('size'))",
+		"html_escape(get_request_var('trim'))",
+	),
+	__DIR__ . '/../../monitor_render.php' => array(
+		"rawurlencode(get_request_var('rfilter'))",
+	),
+);
+
+foreach ($checks as $path => $patterns) {
+	$contents = file_get_contents($path);
+
+	if ($contents === false) {
+		fwrite(STDERR, "Unable to read {$path}\n");
+		exit(1);
+	}
+
+	foreach ($patterns as $pattern) {
+		if (strpos($contents, $pattern) === false) {
+			fwrite(STDERR, "Missing expected output hardening: {$pattern}\n");
+			exit(1);
+		}
+	}
+}
+
+print "OK\n";
diff --git a/tests/e2e/test_monitor_no_raw_request_reuse.php b/tests/e2e/test_monitor_no_raw_request_reuse.php
@@ -0,0 +1,40 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$checks = array(
+	__DIR__ . '/../../monitor_controller.php' => array(
+		"get_request_var('downhosts') . '\"><input id=\"mute\" type=\"hidden\" value=\"' . get_request_var('mute')",
+		"get_request_var('tree') . '\"></td>'",
+		"get_request_var('site') . '\"></td>'",
+		"get_request_var('template') . '\"></td>'",
+		"get_request_var('size') . '\"></td>'",
+		"get_request_var('trim') . '\"></td>'",
+	),
+	__DIR__ . '/../../monitor_render.php' => array(
+		"monitor.php?rfilter=' . get_request_var('rfilter')",
+	),
+);
+
+foreach ($checks as $path => $patterns) {
+	$contents = file_get_contents($path);
+
+	if ($contents === false) {
+		fwrite(STDERR, "Unable to read {$path}\n");
+		exit(1);
+	}
+
+	foreach ($patterns as $pattern) {
+		if (strpos($contents, $pattern) !== false) {
+			fwrite(STDERR, "Raw request reuse remains: {$pattern}\n");
+			exit(1);
+		}
+	}
+}
+
+print "OK\n";
diff --git a/tests/unit/test_request_output_escaping.php b/tests/unit/test_request_output_escaping.php
@@ -0,0 +1,19 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$payload = "\" autofocus onfocus=\"alert(1)";
+$escaped = htmlspecialchars($payload, ENT_QUOTES, 'UTF-8');
+
+if (strpos($escaped, '"') === false && strpos($escaped, '&quot;') !== false) {
+	print "OK\n";
+	exit(0);
+}
+
+fwrite(STDERR, "Expected request values to be escaped for hidden inputs\n");
+exit(1);
diff --git a/themes/classic/index.php b/themes/classic/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/themes/dark/index.php b/themes/dark/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/themes/index.php b/themes/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/themes/midwinter/index.php b/themes/midwinter/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/themes/modern/index.php b/themes/modern/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/themes/paper-plane/index.php b/themes/paper-plane/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/themes/paw/index.php b/themes/paw/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

diff --git a/themes/sunrise/index.php b/themes/sunrise/index.php
@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types=1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |