modules/freifunk: Prevent injections

1 files changed, 5 insertions, 3 deletions

diff --git a/modules/freifunk/luasrc/view/freifunk-services/services.htm b/modules/freifunk/luasrc/view/freifunk-services/services.htm
index 650ef43a4..735a43205 100644
--- a/modules/freifunk/luasrc/view/freifunk-services/services.htm
+++ b/modules/freifunk/luasrc/view/freifunk-services/services.htm
@@ -64,10 +64,12 @@ end
 	for k, line in ipairs(table) do
 		local field = {}
 		-- split line at # and |, 1=url, 2=proto, 3=description, 4=source
-		local field = luci.util.split(line, "[#|]", split, true) %>
+		local field = luci.util.split(line, "[#|]", split, true)
+		url,descr,origin = pcdata(field[1]),pcdata(field[3]),pcdata(field[4])
+		%>
 					<tr class="cbi-section-table-row cbi-rowstyle-<%=i%>">
-						<td class="cbi-section-table-cell"><a href="<%=field[1]%>"><%=field[3]%></a></td>
-						<td class="cbi-section-table-cell"><%=field[4]%></td>
+						<td class="cbi-section-table-cell"><a href="<%=url%>"><%=descr%></a></td>
+						<td class="cbi-section-table-cell"><%=origin%></td>
 					</tr>
 	<% if i == 1 then i = 0 elseif i == 0 then i = 1 end %>
 	<%end%>