From 2d6b8f237d4dfc494aca38e6e6e566d71cce3d5e Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 8 Apr 2026 22:37:06 -0700
Subject: [PATCH 1/7] fix(security): defense-in-depth hardening for
 plugin_thold

Automated fixes:
- XSS: escape request variables in HTML output
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 notify_lists.php  | 12 ++++++------
 setup.php         | 12 ++++++------
 thold_graph.php   |  4 ++--
 thold_process.php |  2 +-
 thold_webapi.php  |  2 +-
 5 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/notify_lists.php b/notify_lists.php
index 537563b..9921be9 100644
--- a/notify_lists.php
+++ b/notify_lists.php
@@ -1138,7 +1138,7 @@ function hosts($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = '?header=false&action=edit&id=<?php print get_request_var('id'); ?>'
+			strURL  = '?header=false&action=edit&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&rows=' + $('#rows').val();
 			strURL += '&host_template_id=' + $('#host_template_id').val();
 			strURL += '&site_id=' + $('#site_id').val();
@@ -1148,7 +1148,7 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
@@ -1507,7 +1507,7 @@ function tholds($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print get_request_var('id'); ?>'
+			strURL  = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&associated=' + $('#associated').is(':checked');
 			strURL += '&state=' + $('#state').val();
 			strURL += '&site_id=' + $('#site_id').val();
@@ -1518,7 +1518,7 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&tab=tholds&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
@@ -1796,7 +1796,7 @@ function templates($header_label) {
 		<script type='text/javascript'>
 
 		function applyFilter() {
-			strURL  = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print get_request_var('id'); ?>'
+			strURL  = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print (int)get_filter_request_var('id'); ?>'
 			strURL += '&associated=' + $('#associated').is(':checked');
 			strURL += '&rows=' + $('#rows').val();
 			strURL += '&rfilter=' + base64_encode($('#rfilter').val());
@@ -1804,7 +1804,7 @@ function applyFilter() {
 		}
 
 		function clearFilter() {
-			strURL = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print get_request_var('id'); ?>&clear=true'
+			strURL = 'notify_lists.php?header=false&action=edit&tab=templates&id=<?php print (int)get_filter_request_var('id'); ?>&clear=true'
 			loadPageNoHeader(strURL);
 		}
 
diff --git a/setup.php b/setup.php
index e22ca94..78cb7f5 100644
--- a/setup.php
+++ b/setup.php
@@ -1397,11 +1397,11 @@ function thold_device_top() {
 		$('#continue').click(function(data) {
 			$.post('host.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
-				host_id: <?php print get_request_var('host_id'); ?>,
-				id: <?php print get_request_var('id'); ?>
+				host_id: <?php print (int)get_filter_request_var('host_id'); ?>,
+				id: <?php print (int)get_filter_request_var('id'); ?>
 			}).done(function(data) {
 				$('#cdialog').dialog('close');
-				loadPageNoHeader('host.php?action=edit&header=false&id=<?php print get_request_var('host_id'); ?>');
+				loadPageNoHeader('host.php?action=edit&header=false&id=<?php print (int)get_filter_request_var('host_id'); ?>');
 			});
 		});
 		</script>
@@ -1567,11 +1567,11 @@ function thold_device_template_top() {
 	    $('#continue').click(function(data) {
 			$.post('host_templates.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
-				host_template_id: <?php print get_request_var('host_template_id'); ?>,
-				id: <?php print get_request_var('id'); ?>
+				host_template_id: <?php print (int)get_filter_request_var('host_template_id'); ?>,
+				id: <?php print (int)get_filter_request_var('id'); ?>
 			}).done(function(data) {
 				$('#cdialog').dialog('close');
-				loadPageNoHeader('host_templates.php?action=edit&header=false&id=<?php print get_request_var('host_template_id'); ?>');
+				loadPageNoHeader('host_templates.php?action=edit&header=false&id=<?php print (int)get_filter_request_var('host_template_id'); ?>');
 			});
 		});
 		</script>
diff --git a/thold_graph.php b/thold_graph.php
index 97a61af..ee63262 100644
--- a/thold_graph.php
+++ b/thold_graph.php
@@ -251,7 +251,7 @@ function form_thold_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' id='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' id='page' value='<?php print html_escape_request_var('page'); ?>'>
 			<input type='hidden' id='tab' value='thold'>
 		</form>
 		<script type='text/javascript'>
@@ -1261,7 +1261,7 @@ function form_host_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' name='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' name='page' value='<?php print html_escape_request_var('page'); ?>'>
 			<input type='hidden' name='tab' value='hoststat'>
 		</form>
 		<script type='text/javascript'>
diff --git a/thold_process.php b/thold_process.php
index c0f4b5b..54a96a2 100644
--- a/thold_process.php
+++ b/thold_process.php
@@ -162,7 +162,7 @@
 				$item = [];
 
 				if (substr($thold_data['rrd_reindexed'], 0, 1) == 'a') {
-					$rrd_reindexed[$thold_data['local_data_id']] = cacti_unserialize($thold_data['rrd_reindexed']);
+					$rrd_reindexed[$thold_data['local_data_id']] = cacti_unserialize($thold_data['rrd_reindexed'], array('allowed_classes' => false));
 				} else {
 					$rrd_reindexed[$thold_data['local_data_id']] = json_decode($thold_data['rrd_reindexed'], true);
 				}
diff --git a/thold_webapi.php b/thold_webapi.php
index b42e8c1..79dc798 100644
--- a/thold_webapi.php
+++ b/thold_webapi.php
@@ -861,7 +861,7 @@ function applyTholdFilter() {
 function thold_new_graphs_save($host_id) {
 	$return_array = false;
 
-	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')));
+	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array', array('allowed_classes' => false))));
 
 	$values = [];
 

From a276abf6e54ea50f02d04ce43eb697afb57ae5a6 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 01:24:30 -0700
Subject: [PATCH 2/7] fix(js): migrate deprecated jQuery shorthand events to
 .on()/.off()

Replace .click(fn) with .on('click', fn), .change(fn) with
.on('change', fn), .submit(fn) with .on('submit', fn), .unbind()
with .off(), and .resize(fn) with .on('resize', fn).

These shorthands were deprecated in jQuery 3.3 and will be removed
in jQuery 4.0. Cacti core ships jQuery 3.x on develop.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 notify_lists.php    |  8 ++++----
 notify_queue.php    | 12 ++++++------
 setup.php           |  8 ++++----
 thold.php           |  2 +-
 thold_graph.php     |  6 +++---
 thold_templates.php |  6 +++---
 thold_webapi.php    |  2 +-
 7 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/notify_lists.php b/notify_lists.php
index 9921be9..4124be5 100644
--- a/notify_lists.php
+++ b/notify_lists.php
@@ -1153,7 +1153,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#form_devices').submit(function(event) {
+			$('#form_devices').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1523,7 +1523,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#listthold').submit(function(event) {
+			$('#listthold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1809,7 +1809,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#listthold').submit(function(event) {
+			$('#listthold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -2128,7 +2128,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#lists').submit(function(event) {
+			$('#lists').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/notify_queue.php b/notify_queue.php
index 54afa47..e5eee3e 100644
--- a/notify_queue.php
+++ b/notify_queue.php
@@ -331,30 +331,30 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#refresh').click(function() {
+				$('#refresh').on('click', function() {
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#suspend').click(function() {
+				$('#suspend').on('click', function() {
 					strURL = 'notify_queue.php?action=suspend';
 					loadPage(strURL);
 				});
 
-				$('#resume').click(function() {
+				$('#resume').on('click', function() {
 					strURL = 'notify_queue.php?action=resume';
 					loadPage(strURL);
 				});
 
-				$('#purge').click(function() {
+				$('#purge').on('click', function() {
 					strURL = 'notify_queue.php?action=purge';
 					loadPage(strURL);
 				});
 
-				$('#form_notify').submit(function(event) {
+				$('#form_notify').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
diff --git a/setup.php b/setup.php
index 78cb7f5..457b4a2 100644
--- a/setup.php
+++ b/setup.php
@@ -1233,7 +1233,7 @@ function thold_page_head() {
 	<script type='text/javascript'>
 	$(function() {
 		$(document).ajaxComplete(function() {
-			$('.tholdVRule').unbind().click(function(event) {
+			$('.tholdVRule').off().on('click', function(event) {
 				event.preventDefault();
 
 				href = $(this).attr('href');
@@ -1394,7 +1394,7 @@ function thold_device_top() {
 			$('#cdialog').dialog();
 		});
 
-		$('#continue').click(function(data) {
+		$('#continue').on('click', function(data) {
 			$.post('host.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
 				host_id: <?php print (int)get_filter_request_var('host_id'); ?>,
@@ -1503,7 +1503,7 @@ function thold_device_template_edit() {
 				</table>
 				<script type='text/javascript'>
 				function addThresholdTemplate() {
-					$('#add_tt').click(function() {
+					$('#add_tt').on('click', function() {
 						scrollTop = $(window).scrollTop();
 						$.post('host_templates.php?header=false&action=item_add_tt', {
 							host_template_id: $('#id').val(),
@@ -1564,7 +1564,7 @@ function thold_device_template_top() {
 			$('#cdialog').dialog();
 		});
 
-	    $('#continue').click(function(data) {
+	    $('#continue').on('click', function(data) {
 			$.post('host_templates.php?action=item_remove_tt', {
 				__csrf_magic: csrfMagicToken,
 				host_template_id: <?php print (int)get_filter_request_var('host_template_id'); ?>,
diff --git a/thold.php b/thold.php
index a098e3c..1cae7ea 100644
--- a/thold.php
+++ b/thold.php
@@ -784,7 +784,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#thold').submit(function(event) {
+			$('#thold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/thold_graph.php b/thold_graph.php
index ee63262..f2c2fd7 100644
--- a/thold_graph.php
+++ b/thold_graph.php
@@ -274,7 +274,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#thold').submit(function(event) {
+			$('#thold').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1282,7 +1282,7 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#form_devices').submit(function(event) {
+			$('#form_devices').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
@@ -1763,7 +1763,7 @@ function exportLog() {
 		}
 
 		$(function() {
-			$('#form_log').submit(function(event) {
+			$('#form_log').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
diff --git a/thold_templates.php b/thold_templates.php
index 1590247..aa2e715 100644
--- a/thold_templates.php
+++ b/thold_templates.php
@@ -565,7 +565,7 @@ function applyFilter(type) {
 		}
 
 		$(function() {
-			$('#go').button().click(function() {
+			$('#go').button().on('click', function() {
 				strURL = $('#tholdform').attr('action');
 				json   = $('input, select').serializeObject();
 				loadPageUsingPost(strURL, json);
@@ -2201,7 +2201,7 @@ function importTemplate() {
 			}
 
 			$(function() {
-				$('#listthold').submit(function(event) {
+				$('#listthold').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
@@ -2566,7 +2566,7 @@ function thold_form_end($ajax = true) {
 	if ($ajax) { ?>
 		<script type='text/javascript'>
 		$(function() {
-			$('#<?php print $form_id; ?>').submit(function(event) {
+			$('#<?php print $form_id; ?>').on('submit', function(event) {
 				if ($('#drp_action').val() != '1') {
 					event.preventDefault();
 					strURL  = '<?php print $form_action; ?>';
diff --git a/thold_webapi.php b/thold_webapi.php
index 79dc798..932fe20 100644
--- a/thold_webapi.php
+++ b/thold_webapi.php
@@ -839,7 +839,7 @@ function applyTholdFilter() {
 	$(function() {
 		if ($('#type_id').val() == 'template') {
 			$('#submit').prev().hide();
-			$('#submit').off().click(function(event) {
+			$('#submit').off().on('click', function(event) {
 				event.preventDefault();
 
 				json = $('input, select').serializeObject();

From cabb181865d7cd5d509e34c3d440a47a4f692ced Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Thu, 9 Apr 2026 23:03:31 -0700
Subject: [PATCH 3/7] fix(ci): Dependabot composer ecosystem, CodeQL PHP
 coverage

- Change Dependabot ecosystem from npm to composer (PHP-only repo)
- Remove PHP from CodeQL paths-ignore so security PRs get analysis
- Remove committed .omc session artifacts, add .omc/ to .gitignore

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index eb71606..32791f0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,3 +20,4 @@
 # +-------------------------------------------------------------------------+
 
 locales/po/*.mo
+.omc/

From 78b6ba9ef30e71c47ddfc1313c78f586941234ae Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Fri, 10 Apr 2026 01:58:29 -0700
Subject: [PATCH 4/7] fix: execute addThresholdTemplate POST directly instead
 of binding click

The function was called via inline onClick, but it just bound another
click handler - which never fired because the click event had already
completed. Execute the POST directly in the function.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 setup.php | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/setup.php b/setup.php
index 457b4a2..98f871a 100644
--- a/setup.php
+++ b/setup.php
@@ -1503,15 +1503,13 @@ function thold_device_template_edit() {
 				</table>
 				<script type='text/javascript'>
 				function addThresholdTemplate() {
-					$('#add_tt').on('click', function() {
-						scrollTop = $(window).scrollTop();
-						$.post('host_templates.php?header=false&action=item_add_tt', {
-							host_template_id: $('#id').val(),
-							thold_template_id: $('#thold_template_id').val(),
-							__csrf_magic: csrfMagicToken})
-						.done(function(data) {
-							loadPageNoHeader(urlPath+'host_templates.php?header=false&action=edit&id='+$('#id').val());
-						});
+					scrollTop = $(window).scrollTop();
+					$.post('host_templates.php?header=false&action=item_add_tt', {
+						host_template_id: $('#id').val(),
+						thold_template_id: $('#thold_template_id').val(),
+						__csrf_magic: csrfMagicToken})
+					.done(function(data) {
+						loadPageNoHeader(urlPath+'host_templates.php?header=false&action=edit&id='+$('#id').val());
 					});
 				}
 				</script>

From 652419ff8796d2041c3d8d39622e542fd128486c Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sat, 11 Apr 2026 01:28:33 -0700
Subject: [PATCH 5/7] fix: pass unserialize options to cacti_unserialize

---
 thold_webapi.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/thold_webapi.php b/thold_webapi.php
index 932fe20..d443db8 100644
--- a/thold_webapi.php
+++ b/thold_webapi.php
@@ -861,7 +861,7 @@ function applyTholdFilter() {
 function thold_new_graphs_save($host_id) {
 	$return_array = false;
 
-	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array', array('allowed_classes' => false))));
+	$selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')), array('allowed_classes' => false));
 
 	$values = [];
 

From 7191dbce1123b6ac30c7da2489844e564673a379 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sat, 11 Apr 2026 01:30:51 -0700
Subject: [PATCH 6/7] chore: drop local .omc ignore noise

---
 .gitignore | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 32791f0..eb71606 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,4 +20,3 @@
 # +-------------------------------------------------------------------------+
 
 locales/po/*.mo
-.omc/

From e591b102e69d6dccfd29811d9bee9472fcfe80d6 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sat, 11 Apr 2026 13:37:48 -0700
Subject: [PATCH 7/7] fix(security): harden notify list form and filter
 handling

---
 notify_lists.php                              | 24 ++++++++---------
 tests/Integration/test_notify_list_wiring.php | 24 +++++++++++++++++
 .../Unit/test_notify_list_security_guards.php | 26 +++++++++++++++++++
 ...t_notify_list_no_raw_sql_or_form_reuse.php | 26 +++++++++++++++++++
 4 files changed, 88 insertions(+), 12 deletions(-)
 create mode 100644 tests/Integration/test_notify_list_wiring.php
 create mode 100644 tests/Unit/test_notify_list_security_guards.php
 create mode 100644 tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.php

diff --git a/notify_lists.php b/notify_lists.php
index 4124be5..48291bf 100644
--- a/notify_lists.php
+++ b/notify_lists.php
@@ -590,7 +590,7 @@ function form_actions() {
 				<input type='hidden' name='action' value='actions'>
 				<input type='hidden' name='save_list' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -665,10 +665,10 @@ function form_actions() {
 		print "	<tr>
 				<td class='saveRow'>
 				<input type='hidden' name='action' value='actions'>
-				<input type='hidden' name='id' value='" . get_request_var('id') . "'>
+				<input type='hidden' name='id' value='" . html_escape(get_request_var('id')) . "'>
 				<input type='hidden' name='save_templates' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -743,10 +743,10 @@ function form_actions() {
 		print "	<tr>
 				<td class='saveRow'>
 				<input type='hidden' name='action' value='actions'>
-				<input type='hidden' name='id' value='" . get_request_var('id') . "'>
+				<input type='hidden' name='id' value='" . html_escape(get_request_var('id')) . "'>
 				<input type='hidden' name='save_tholds' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -828,10 +828,10 @@ function form_actions() {
 		print "<tr>
 			<td class='saveRow'>
 				<input type='hidden' name='action' value='actions'>
-				<input type='hidden' name='id' value='" . get_request_var('id') . "'>
+				<input type='hidden' name='id' value='" . html_escape(get_request_var('id')) . "'>
 				<input type='hidden' name='save_associate' value='1'>
 				<input type='hidden' name='selected_items' value='" . (isset($array) ? serialize($array) : '') . "'>
-				<input type='hidden' name='drp_action' value='" . get_request_var('drp_action') . "'>
+				<input type='hidden' name='drp_action' value='" . html_escape(get_request_var('drp_action')) . "'>
 				$save_html
 			</td>
 		</tr>";
@@ -1241,7 +1241,7 @@ function clearFilter() {
 
 	$hosts = db_fetch_assoc_prepared($sql_query, $sql_params);
 
-	$nav = html_nav_bar('notify_lists.php?action=edit&id=' . get_request_var('id'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 10, __('Devices', 'thold'), 'page', 'main');
+	$nav = html_nav_bar('notify_lists.php?action=edit&id=' . (int)get_request_var('id'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 10, __('Devices', 'thold'), 'page', 'main');
 
 	form_start('notify_lists.php', 'chk');
 
@@ -1387,7 +1387,7 @@ function tholds($header_label) {
 	$limit = ($rows * (intval(get_request_var('page')) - 1)) . ", $rows";
 
 	if (!isempty_request_var('template') && get_request_var('template') != '-1') {
-		$sql_where .= ($sql_where == '' ? '' : ' AND ') . 'td.data_template_id = ' . get_request_var('template');
+		$sql_where .= ($sql_where == '' ? '' : ' AND ') . 'td.data_template_id = ' . (int)get_request_var('template');
 	}
 
 	if (get_request_var('site_id') == '-1') {
@@ -1395,11 +1395,11 @@ function tholds($header_label) {
 	} elseif (get_request_var('site_id') == '0') {
 		$sql_where .= ($sql_where == '' ? '' : ' AND ') . ' h.site_id=0';
 	} elseif (!isempty_request_var('site_id')) {
-		$sql_where .= ($sql_where == '' ? '' : ' AND ') . ' h.site_id=' . get_request_var('site_id');
+		$sql_where .= ($sql_where == '' ? '' : ' AND ') . ' h.site_id=' . (int)get_request_var('site_id');
 	}
 
 	if (strlen(get_request_var('rfilter'))) {
-		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . "td.name_cache RLIKE '" . get_request_var('rfilter') . "'";
+		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . 'td.name_cache RLIKE ' . db_qstr(get_request_var('rfilter'));
 	}
 
 	if ($statefilter != '') {
@@ -1407,7 +1407,7 @@ function tholds($header_label) {
 	}
 
 	if (get_request_var('associated') == 'true') {
-		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . '(td.notify_warning=' . get_request_var('id') . ' OR td.notify_alert=' . get_request_var('id') . ')';
+		$sql_where .= (!strlen($sql_where) ? '' : ' AND ') . '(td.notify_warning=' . (int)get_request_var('id') . ' OR td.notify_alert=' . (int)get_request_var('id') . ')';
 	}
 
 	$result = get_allowed_thresholds($sql_where, $sort, $limit, $total_rows);
diff --git a/tests/Integration/test_notify_list_wiring.php b/tests/Integration/test_notify_list_wiring.php
new file mode 100644
index 0000000..5d492fe
--- /dev/null
+++ b/tests/Integration/test_notify_list_wiring.php
@@ -0,0 +1,24 @@
+<?php
+
+$source = file_get_contents(dirname(__DIR__, 2) . '/notify_lists.php');
+
+if ($source === false) {
+	fwrite(STDERR, "Unable to read notify_lists.php\n");
+	exit(1);
+}
+
+$checks = array(
+	"id=<?php print (int)get_filter_request_var('id'); ?>",
+	"'notify_lists.php?action=edit&id=' . (int)get_request_var('id')",
+	"<input type='hidden' name='id' value='\" . html_escape(get_request_var('id')) . \"'>",
+	"<input type='hidden' name='drp_action' value='\" . html_escape(get_request_var('drp_action')) . \"'>",
+);
+
+foreach ($checks as $needle) {
+	if (strpos($source, $needle) === false) {
+		fwrite(STDERR, "Missing expected notify list wiring\n");
+		exit(1);
+	}
+}
+
+echo "OK\n";
diff --git a/tests/Unit/test_notify_list_security_guards.php b/tests/Unit/test_notify_list_security_guards.php
new file mode 100644
index 0000000..1b7d86f
--- /dev/null
+++ b/tests/Unit/test_notify_list_security_guards.php
@@ -0,0 +1,26 @@
+<?php
+
+$source = file_get_contents(dirname(__DIR__, 2) . '/notify_lists.php');
+
+if ($source === false) {
+	fwrite(STDERR, "Unable to read notify_lists.php\n");
+	exit(1);
+}
+
+$needles = array(
+	"html_escape(get_request_var('drp_action'))",
+	"html_escape(get_request_var('id'))",
+	"'td.data_template_id = ' . (int)get_request_var('template')",
+	"' h.site_id=' . (int)get_request_var('site_id')",
+	"'td.name_cache RLIKE ' . db_qstr(get_request_var('rfilter'))",
+	"'(td.notify_warning=' . (int)get_request_var('id') . ' OR td.notify_alert=' . (int)get_request_var('id') . ')'",
+);
+
+foreach ($needles as $needle) {
+	if (strpos($source, $needle) === false) {
+		fwrite(STDERR, "Missing expected notify list guard\n");
+		exit(1);
+	}
+}
+
+echo "OK\n";
diff --git a/tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.php b/tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.php
new file mode 100644
index 0000000..2207948
--- /dev/null
+++ b/tests/e2e/test_notify_list_no_raw_sql_or_form_reuse.php
@@ -0,0 +1,26 @@
+<?php
+
+$source = file_get_contents(dirname(__DIR__, 2) . '/notify_lists.php');
+
+if ($source === false) {
+	fwrite(STDERR, "Unable to read notify_lists.php\n");
+	exit(1);
+}
+
+$legacy = array(
+	"<input type='hidden' name='drp_action' value='\" . get_request_var('drp_action') . \"'>",
+	"<input type='hidden' name='id' value='\" . get_request_var('id') . \"'>",
+	"td.name_cache RLIKE '\" . get_request_var('rfilter') . \"'",
+	"'td.data_template_id = ' . get_request_var('template')",
+	"' h.site_id=' . get_request_var('site_id')",
+	"'(td.notify_warning=' . get_request_var('id') . ' OR td.notify_alert=' . get_request_var('id') . ')'",
+);
+
+foreach ($legacy as $needle) {
+	if (strpos($source, $needle) !== false) {
+		fwrite(STDERR, "Found legacy insecure notify list pattern\n");
+		exit(1);
+	}
+}
+
+echo "OK\n";