summaryrefslogtreecommitdiffhomepage
path: root/themes/luci-theme-openwrt-2020/luasrc
diff options
context:
space:
mode:
authorHauke Mehrtens <hauke@hauke-m.de>2021-06-09 01:28:44 +0200
committerHauke Mehrtens <hauke@hauke-m.de>2021-06-09 01:33:44 +0200
commit5cbd79d7e31c0f0feaea2770bf102bbae7831e3c (patch)
treeac1d330cb1d8ecb385ccaad940ee5e4b6e685783 /themes/luci-theme-openwrt-2020/luasrc
parentda97288015e0a8919c55075d71d88890e2f339f3 (diff)
themes: Call striptags() on hostname to prevent XSS
This calls striptags() on the hostname to prevent any XSS over the hostname. This should fix CVE-2021-33425 as far as I understood it. If someone adds some Javascript into system.@system[0].hostname it would have been directly added to the page, this prevents the problem. This can only be exploited by someone being able to modify the uci configuration, normally a user with such privileges could also just modify the webpage. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'themes/luci-theme-openwrt-2020/luasrc')
-rw-r--r--themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm2
1 files changed, 1 insertions, 1 deletions
diff --git a/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm b/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm
index 1cc84acbb1..28589ff781 100644
--- a/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm
+++ b/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm
@@ -43,7 +43,7 @@
<div id="menubar">
<h2 class="navigation"><a id="navigation" name="navigation"><%:Navigation%></a></h2>
- <span class="hostname"><a href="/"><%=(boardinfo.hostname or "?")%></a></span>
+ <span class="hostname"><a href="/"><%=striptags(boardinfo.hostname or "?")%></a></span>
<span class="distversion"><%=ver.distversion%></span>
<span id="indicators"></span>
</div>