luci-mod-admin-full: escape display parameter

Prevent reflected XSS through the reset button by url encoding the display parameter. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2018-04-05 23:00:46 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2018-04-05 23:03:01 +0200
commit: bfc98bec4d79efb24434e11ea27b3c17c31365ab (patch)
tree: 97a72c7817cb566283bf5485eb20ccd4dbe8e543 /modules
parent: 731ed77c0bbee7004a6b5645d9a8592a76748a1c (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
index d5d78289b..88e0fffd9 100644
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
@@ -69,7 +69,7 @@ end
 				<% if querypat then %>
 				<div class="cbi-value">
 					<%:Displaying only packages containing%> <strong>"<%=pcdata(query)%>"</strong>
-					<input type="button" onclick="location.href='?display=<%=pcdata(display)%>'" href="#" class="cbi-button cbi-button-reset" style="margin-left:1em" value="<%:Reset%>" />
+					<input type="button" onclick="location.href='?display=<%=luci.http.urlencode(display)%>'" href="#" class="cbi-button cbi-button-reset" style="margin-left:1em" value="<%:Reset%>" />
 					<br style="clear:both" />
 				</div>
 				<% end %>
author	Jo-Philipp Wich <jo@mein.io>	2018-04-05 23:00:46 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2018-04-05 23:03:01 +0200
commit	bfc98bec4d79efb24434e11ea27b3c17c31365ab (patch)
tree	97a72c7817cb566283bf5485eb20ccd4dbe8e543 /modules
parent	731ed77c0bbee7004a6b5645d9a8592a76748a1c (diff)