themes: ensure that data-page attribute is escaped

Fixes: #3757 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2020-03-15 17:48:40 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2020-03-15 17:48:40 +0100
commit: 5d7dc391d4af4ad5dd6d7e1f6ef9891aa21fd220 (patch)
tree: 8b9716d43e0aa4b59cde300686db8b5b3e60ec04 /themes/luci-theme-material/luasrc/view
parent: 03af89a24b52c152a97b4624098a64b597327b87 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/themes/luci-theme-material/luasrc/view/themes/material/header.htm b/themes/luci-theme-material/luasrc/view/themes/material/header.htm
index 7541d048c0..124314039a 100644
--- a/themes/luci-theme-material/luasrc/view/themes/material/header.htm
+++ b/themes/luci-theme-material/luasrc/view/themes/material/header.htm
@@ -184,7 +184,7 @@
 		})();
 	//]]></script>
 </head>
-<body class="lang_<%=luci.i18n.context.lang%> <% if node then %><%= striptags( node.title ) %><% end %> <% if luci.dispatcher.context.authsession then %>logged-in<% end %>" data-page="<%= table.concat(disp.context.requestpath, "-") %>">
+<body class="lang_<%=luci.i18n.context.lang%> <% if node then %><%= striptags( node.title ) %><% end %> <% if luci.dispatcher.context.authsession then %>logged-in<% end %>" data-page="<%= pcdata(table.concat(disp.context.requestpath, "-")) %>">
 <header>
 	<div class="fill">
 		<div class="container">
author	Jo-Philipp Wich <jo@mein.io>	2020-03-15 17:48:40 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2020-03-15 17:48:40 +0100
commit	5d7dc391d4af4ad5dd6d7e1f6ef9891aa21fd220 (patch)
tree	8b9716d43e0aa4b59cde300686db8b5b3e60ec04 /themes/luci-theme-material/luasrc/view
parent	03af89a24b52c152a97b4624098a64b597327b87 (diff)