luci-mod-system: sshkeys.js: prevent XSS through pubkey comments

Ensure to not display public key comments verbatim in order to prevent injection of markup. Reported-by: Eric McDonald <ericmcdonald@protonmail.com> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2022-09-21 14:47:41 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2022-09-21 14:47:41 +0200
commit: 944b55738e7f9685865d5298248b7fbd7380749e (patch)
tree: bea3f287aec71252770db597b035e399019e05be /modules/luci-mod-system/htdocs/luci-static/resources/view
parent: 68453ff14ad1fa90b71c83aa0a51cee7cd412acd (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
index a2f0bef9b4..8b12b2311e 100644
--- a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
+++ b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
@@ -112,7 +112,7 @@ function renderKeyItem(pubkey) {
 		click: isReadonlyView ? null : removeKey,
 		'data-key': pubkey.src
 	}, [
-		E('strong', pubkey.comment || _('Unnamed key')), E('br'),
+		E('strong', [ pubkey.comment || _('Unnamed key') ]), E('br'),
 		E('small', [
 			'%s, %s'.format(pubkey.type, pubkey.curve || _('%d Bit').format(pubkey.bits)),
 			pubkey.options ? E([], [
author	Jo-Philipp Wich <jo@mein.io>	2022-09-21 14:47:41 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2022-09-21 14:47:41 +0200
commit	944b55738e7f9685865d5298248b7fbd7380749e (patch)
tree	bea3f287aec71252770db597b035e399019e05be /modules/luci-mod-system/htdocs/luci-static/resources/view
parent	68453ff14ad1fa90b71c83aa0a51cee7cd412acd (diff)