diff options
author | Jo-Philipp Wich <jo@mein.io> | 2019-02-12 08:32:02 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2019-02-12 08:32:02 +0100 |
commit | eda8f02dac3caa4d0f52cd1e860d7a392c295df3 (patch) | |
tree | d4d740fedc7f485b7ab3702f62c6cb47cbfb0444 /modules/luci-base/luasrc/view/cbi | |
parent | 4141243762aafb7960d67f871c97907307005f87 (diff) |
treewide: avoid double-escaping CBI section labels
Since the section labels are already HTML-escaped implicitely by the
striptags() function, we must not escape them again in attr() or
ifattr().
Fixes: #2524
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules/luci-base/luasrc/view/cbi')
-rw-r--r-- | modules/luci-base/luasrc/view/cbi/cell_valueheader.htm | 4 | ||||
-rw-r--r-- | modules/luci-base/luasrc/view/cbi/tblsection.htm | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm b/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm index ea0568f40..cb11d8f61 100644 --- a/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm +++ b/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm @@ -6,7 +6,7 @@ <div class="td cbi-value-field<% if self.error and self.error[section] then %> cbi-value-error<% end %>"<%= attr("data-name", self.option) .. ifattr(ftype and #ftype > 0, "data-type", ftype) .. - ifattr(title and #title > 0, "data-title", title) .. - ifattr(descr and #descr > 0, "data-description", descr) + ifattr(title and #title > 0, "data-title", title, true) .. + ifattr(descr and #descr > 0, "data-description", descr, true) %>> <div id="cbi-<%=self.config.."-"..section.."-"..self.option%>" data-index="<%=self.index%>" data-depends="<%=pcdata(self:deplist2json(section))%>"> diff --git a/modules/luci-base/luasrc/view/cbi/tblsection.htm b/modules/luci-base/luasrc/view/cbi/tblsection.htm index 408dfa7fe..11c2206d8 100644 --- a/modules/luci-base/luasrc/view/cbi/tblsection.htm +++ b/modules/luci-base/luasrc/view/cbi/tblsection.htm @@ -127,7 +127,7 @@ end section = k local sectionname = striptags((type(self.sectiontitle) == "function") and self:sectiontitle(section) or k) - local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname) + local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname, true) local colorclass = (self.extedit or self.rowcolors) and rowstyle() or "" local scope = { valueheader = "cbi/cell_valueheader", |