pfSense

The page at firewall_schedule_edit.php does not perform sufficient validation on the schedule values submitted by users. This value is sent back to the user on firewall_schedule.php without encoding, which is a potential XSS vector. Furthermore, the value may also cause a PHP error on firewall_schedule_edit.php which prevents further edits from being made to schedules.

Creating a new entry with the following data reproduces the problem condition:

{
    "name": "XSS_Test_Sched",
    "descr": "XSS+Test",
    "monthsel": "3",
    "starttimehour": "0",
    "starttimemin": "00",
    "stoptimehour": "23",
    "stoptimemin": "59",
    "timerangedescr": "",
    "tempFriendlyTime0": "Sun",
    "starttime0": "0:00",
    "stoptime0": "23:59",
    "timedescr0": "",
    "schedule0": "w11p3-m3d12\"><script>alert('XSS')</script>",
    "marker": "",
    "save": "Save" 
}

Attempting to edit the problematic entry will result in a PHP error:

PHP Fatal error:  Uncaught TypeError: mktime(): Argument #5 ($day) must be of type ?int, string given in /usr/local/www/firewall_schedule_edit.php:494
Stack trace:
#0 /usr/local/www/firewall_schedule_edit.php(494): mktime(0, 0, 0, '3', '12"><572025-03-...', '2025')
#1 {main}
  thrown in /usr/local/www/firewall_schedule_edit.php on line 494