diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2021-06-09 08:48:04 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-09 08:48:04 +0200 |
| commit | b35316298bdd5d46c606ff66aacc2e62f4bb831d (patch) | |
| tree | ac1d330cb1d8ecb385ccaad940ee5e4b6e685783 | |
| parent | da97288015e0a8919c55075d71d88890e2f339f3 (diff) | |
| parent | 5cbd79d7e31c0f0feaea2770bf102bbae7831e3c (diff) | |
Merge pull request #5109 from hauke/striptags-from-hostname
themes: Call striptags() on hostname to prevent XSS
4 files changed, 4 insertions, 4 deletions
diff --git a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm index ad2d7feef5..81a23d63af 100644 --- a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm +++ b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm @@ -41,7 +41,7 @@ <header> <div class="fill"> <div class="container"> - <a class="brand" href="/"><%=boardinfo.hostname or "?"%></a> + <a class="brand" href="/"><%=striptags(boardinfo.hostname or "?")%></a> <ul class="nav" id="topmenu" style="display:none"></ul> <div id="indicators" class="pull-right"></div> </div> diff --git a/themes/luci-theme-material/luasrc/view/themes/material/header.htm b/themes/luci-theme-material/luasrc/view/themes/material/header.htm index f81aae5ac1..8c418b6fc2 100644 --- a/themes/luci-theme-material/luasrc/view/themes/material/header.htm +++ b/themes/luci-theme-material/luasrc/view/themes/material/header.htm @@ -190,7 +190,7 @@ <div class="container"> <span class="showSide"></span> <a id="logo" href="<% if luci.dispatcher.context.authsession then %><%=url('admin/status/overview')%><% else %>#<% end %>"><img src="<%=media%>/brand.png" alt="OpenWrt"></a> - <a class="brand" href="#"><%=boardinfo.hostname or "?"%></a> + <a class="brand" href="#"><%=striptags(boardinfo.hostname or "?")%></a> <div class="status" id="indicators"> <span id="xhr_poll_status" style="display:none" onclick="XHR.running() ? XHR.halt() : XHR.run()"> <span class="label success" id="xhr_poll_status_on"><span class="mobile-hide"><%:Auto Refresh%></span> <%:on%></span> diff --git a/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm b/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm index 1cc84acbb1..28589ff781 100644 --- a/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm +++ b/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm @@ -43,7 +43,7 @@ <div id="menubar"> <h2 class="navigation"><a id="navigation" name="navigation"><%:Navigation%></a></h2> - <span class="hostname"><a href="/"><%=(boardinfo.hostname or "?")%></a></span> + <span class="hostname"><a href="/"><%=striptags(boardinfo.hostname or "?")%></a></span> <span class="distversion"><%=ver.distversion%></span> <span id="indicators"></span> </div> diff --git a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm index 5f79b386b2..a17f350263 100644 --- a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm +++ b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm @@ -50,7 +50,7 @@ <h2 class="navigation"><a id="navigation" name="navigation"><%:Navigation%></a></h2> <div class="hostinfo"> - <%=(boardinfo.hostname or "?")%> | <%=ver.distversion%> | + <%=striptags(boardinfo.hostname or "?")%> | <%=ver.distversion%> | <%:Load%>: <%="%.2f" % (loadinfo[1] / 65535.0)%> <%="%.2f" % (loadinfo[2] / 65535.0)%> <%="%.2f" % (loadinfo[3] / 65535.0)%> </div> |