14 files changed, 55 insertions, 16 deletions

diff --git a/modules/luci-base/luasrc/view/cbi/apply_xhr.htm b/modules/luci-base/luasrc/view/cbi/apply_xhr.htm
index 1814c9393b..daa57c1db7 100644
--- a/modules/luci-base/luasrc/view/cbi/apply_xhr.htm
+++ b/modules/luci-base/luasrc/view/cbi/apply_xhr.htm
@@ -4,10 +4,10 @@
 	<script type="text/javascript">//<![CDATA[
 		var apply_xhr = new XHR();
 
-		apply_xhr.get('<%=luci.dispatcher.build_url("servicectl", "restart", table.concat(configs, ","))%>', null,
+		apply_xhr.post('<%=url('servicectl/restart', table.concat(configs, ","))%>', { token: '<%=token%>' },
 			function() {
 				var checkfinish = function() {
-					apply_xhr.get('<%=luci.dispatcher.build_url("servicectl", "status")%>', null,
+					apply_xhr.get('<%=url('servicectl/status')%>', null,
 						function(x) {
 							if( x.responseText == 'finish' )
 							{
diff --git a/modules/luci-base/luasrc/view/cbi/browser.htm b/modules/luci-base/luasrc/view/cbi/browser.htm
index e4a4077d55..a18120141d 100644
--- a/modules/luci-base/luasrc/view/cbi/browser.htm
+++ b/modules/luci-base/luasrc/view/cbi/browser.htm
@@ -2,6 +2,6 @@
 <%+cbi/valueheader%>
 	<input class="cbi-input-text" type="text"<%= attr("value", v) .. attr("name", cbid) .. attr("id", cbid) %> />
 	<script type="text/javascript">
-cbi_browser_init('<%=cbid%>', '<%=resource%>', '<%=luci.dispatcher.build_url("admin", "filebrowser")%>'<%=self.default_path and ", '"..self.default_path.."'"%>);
+cbi_browser_init('<%=cbid%>', '<%=resource%>', '<%=url('admin/filebrowser')%>'<%=self.default_path and ", '"..self.default_path.."'"%>);
 	</script>
 <%+cbi/valuefooter%>
diff --git a/modules/luci-base/luasrc/view/cbi/dynlist.htm b/modules/luci-base/luasrc/view/cbi/dynlist.htm
index fd626a4ecf..e936c0c39f 100644
--- a/modules/luci-base/luasrc/view/cbi/dynlist.htm
+++ b/modules/luci-base/luasrc/view/cbi/dynlist.htm
@@ -15,7 +15,9 @@
 <script type="text/javascript">
 cbi_dynlist_init(
 	'<%=cbid%>', '<%=resource%>', '<%=self.datatype%>',
-	<%=tostring(self.optional or self.rmempty)%>
+	<%=tostring(self.optional or self.rmempty)%>,
+	'<%=url('admin/filebrowser')%>',
+	'<%=self.default_path and self.default_path%>'
 	<%- if #self.keylist > 0 then -%>, [{
 		<%- for i, k in ipairs(self.keylist) do -%>
 			<%-=string.format("%q", k) .. ":" .. string.format("%q", self.vallist[i])-%>
diff --git a/modules/luci-base/luasrc/view/cbi/error.htm b/modules/luci-base/luasrc/view/cbi/error.htm
index 2acb96924e..75ec1082aa 100644
--- a/modules/luci-base/luasrc/view/cbi/error.htm
+++ b/modules/luci-base/luasrc/view/cbi/error.htm
@@ -1,5 +1,5 @@
 <div class="cbi-map" id="cbi-<%=self.config%>">
-	<% if self.title and #self.title > 0 then %><h2><a id="content" name="content"><%=self.title%></a></h2><% end %>
+	<% if self.title and #self.title > 0 then %><h2 name="content"><%=self.title%></h2><% end %>
 	<% if self.description and #self.description > 0 then %><div class="cbi-map-descr"><%=self.description%></div><% end %>
 
 	<p class="alert-message danger">
diff --git a/modules/luci-base/luasrc/view/cbi/header.htm b/modules/luci-base/luasrc/view/cbi/header.htm
index 2bddaba61a..302df1d2fd 100644
--- a/modules/luci-base/luasrc/view/cbi/header.htm
+++ b/modules/luci-base/luasrc/view/cbi/header.htm
@@ -2,6 +2,7 @@
 <form method="post" name="cbi" action="<%=REQUEST_URI%>" enctype="multipart/form-data" onreset="return cbi_validate_reset(this)" onsubmit="return cbi_validate_form(this, '<%:Some fields are invalid, cannot save values!%>')">
 	<div>
 		<script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+		<input type="hidden" name="token" value="<%=token%>" />
 		<input type="hidden" name="cbi.submit" value="1" />
 		<input type="submit" value="<%:Save%>" class="hidden" />
 	</div>
diff --git a/modules/luci-base/luasrc/view/cbi/map.htm b/modules/luci-base/luasrc/view/cbi/map.htm
index 053220d185..e90c3f589f 100644
--- a/modules/luci-base/luasrc/view/cbi/map.htm
+++ b/modules/luci-base/luasrc/view/cbi/map.htm
@@ -5,7 +5,7 @@
 <%-+cbi/apply_xhr-%>
 
 <div class="cbi-map" id="cbi-<%=self.config%>">
-	<% if self.title and #self.title > 0 then %><h2><a id="content" name="content"><%=self.title%></a></h2><% end %>
+	<% if self.title and #self.title > 0 then %><h2 name="content"><%=self.title%></h2><% end %>
 	<% if self.description and #self.description > 0 then %><div class="cbi-map-descr"><%=self.description%></div><% end %>
 	<%- if firstmap and applymap then cbi_apply_xhr(self.config, parsechain, redirect) end -%>
 	<%- self:render_children() %>
diff --git a/modules/luci-base/luasrc/view/cbi/mvalue.htm b/modules/luci-base/luasrc/view/cbi/mvalue.htm
index 6a0b3881d0..5d092610ed 100644
--- a/modules/luci-base/luasrc/view/cbi/mvalue.htm
+++ b/modules/luci-base/luasrc/view/cbi/mvalue.htm
@@ -12,7 +12,7 @@
 	c = c + 1
 %>
 	<input class="cbi-input-checkbox" type="checkbox" onclick="cbi_d_update(this.id)" onchange="cbi_d_update(this.id)"<%= attr("id", cbid..c) .. attr("name", cbid) .. attr("value", key) .. ifattr(luci.util.contains(v, key), "checked", "checked") %> />
-	<label<%= attr("for", cbid..c) %>><%=self.vallist[i]%></label><br />
+	<label<%= attr("for", cbid..c) %>><%=self.vallist[i]%></label><% if not self.oneline then %><br /><% else %> <% end %>
 <% if c == self.size then c = 0 %><br />
 <% end end %>
 <% end %>
diff --git a/modules/luci-base/luasrc/view/cbi/simpleform.htm b/modules/luci-base/luasrc/view/cbi/simpleform.htm
index 5216cd50f1..78f5c5a544 100644
--- a/modules/luci-base/luasrc/view/cbi/simpleform.htm
+++ b/modules/luci-base/luasrc/view/cbi/simpleform.htm
@@ -2,11 +2,12 @@
 <form method="post" enctype="multipart/form-data" action="<%=REQUEST_URI%>">
 	<div>
 		<script type="text/javascript" src="<%=resource%>/cbi.js"></script>
+		<input type="hidden" name="token" value="<%=token%>" />
 		<input type="hidden" name="cbi.submit" value="1" />
 	</div>
 <% end %>
 	<div class="cbi-map" id="cbi-<%=self.config%>">
-		<% if self.title and #self.title > 0 then %><h2><a id="content" name="content"><%=self.title%></a></h2><% end %>
+		<% if self.title and #self.title > 0 then %><h2 name="content"><%=self.title%></h2><% end %>
 		<% if self.description and #self.description > 0 then %><div class="cbi-map-descr"><%=self.description%></div><% end %>
 		<% self:render_children() %>
 		<br />
diff --git a/modules/luci-base/luasrc/view/cbi/upload.htm b/modules/luci-base/luasrc/view/cbi/upload.htm
index 7770934111..157f3b36fa 100644
--- a/modules/luci-base/luasrc/view/cbi/upload.htm
+++ b/modules/luci-base/luasrc/view/cbi/upload.htm
@@ -6,9 +6,19 @@
 <%+cbi/valueheader%>
 	<% if s then %>
 		<%:Uploaded File%> (<%=t.byte_format(s.size)%>)
-		<input type="hidden"<%= attr("value", v) .. attr("name", cbid) .. attr("id", cbid) %> />
-		<input class="cbi-button cbi-input-image" type="image" value="<%:Replace entry%>" name="cbi.rlf.<%=section .. "." .. self.option%>" alt="<%:Replace entry%>" title="<%:Replace entry%>" src="<%=resource%>/cbi/reload.gif" />
-	<% else %>
+                <% if self.unsafeupload then %>
+		    <input type="hidden"<%= attr("value", v) .. attr("name", cbid) .. attr("id", cbid) %> />
+		    <input class="cbi-button cbi-input-image" type="image" value="<%:Replace entry%>" name="cbi.rlf.<%=section .. "." .. self.option%>" alt="<%:Replace entry%>" title="<%:Replace entry%>" src="<%=resource%>/cbi/reload.gif" />
+                <% end %>
+	<% end %>
+
+        <% if not self.unsafeupload then %>
+		<input type="hidden"<%= attr("value", v) .. attr("name", "cbi.rlf." .. section .. "." .. self.option) .. attr("id", "cbi.rlf." .. section .. "." .. self.option) %> />
+	<% end %>
+		
+	<% if (not s) or (s and not self.unsafeupload) then %>
 		<input class="cbi-input-file" type="file"<%= attr("name", cbid) .. attr("id", cbid) %> />
 	<% end %>
+	<input type="text" class="cbi-input-text" onchange="cbi_d_update(this.id)"<%=
+		attr("name", cbid .. ".textbox") .. attr("id", cbid .. ".textbox") .. attr("value", luci.cbi.AbstractValue.cfgvalue(self, section) or self.default) .. ifattr(self.size, "size") .. ifattr(self.placeholder, "placeholder") .. ifattr(self.readonly, "readonly") .. ifattr(self.maxlength, "maxlength") %> />
 <%+cbi/valuefooter%>
diff --git a/modules/luci-base/luasrc/view/cbi/value.htm b/modules/luci-base/luasrc/view/cbi/value.htm
index d1a7bea5c6..c43dab5f4b 100644
--- a/modules/luci-base/luasrc/view/cbi/value.htm
+++ b/modules/luci-base/luasrc/view/cbi/value.htm
@@ -1,7 +1,8 @@
 <%+cbi/valueheader%>
 	<input type="<%=self.password and 'password" class="cbi-input-password' or 'text" class="cbi-input-text' %>" onchange="cbi_d_update(this.id)"<%=
 		attr("name", cbid) .. attr("id", cbid) .. attr("value", self:cfgvalue(section) or self.default) ..
-		ifattr(self.size, "size") .. ifattr(self.placeholder, "placeholder")
+		ifattr(self.size, "size") .. ifattr(self.placeholder, "placeholder") ..
+		ifattr(self.readonly, "readonly") .. ifattr(self.maxlength, "maxlength")
 	%> />
 	<% if self.password then %><img src="<%=resource%>/cbi/reload.gif" style="vertical-align:middle" title="<%:Reveal/hide password%>" onclick="var e = document.getElementById('<%=cbid%>'); e.type = (e.type=='password') ? 'text' : 'password';" /><% end %>
 	<% if #self.keylist > 0 or self.datatype then -%>
@@ -28,7 +29,7 @@
 		<%- end -%>');
 		<%- end %>
 		<% if self.datatype then -%>
-		cbi_validate_field('<%=cbid%>', <%=tostring((self.optional or self.rmempty) == true)%>, '<%=self.datatype:gsub("'", "\\'")%>');
+		cbi_validate_field('<%=cbid%>', <%=tostring((self.optional or self.rmempty) == true)%>, '<%=self.datatype:gsub("\\", "\\\\"):gsub("'", "\\'")%>');
 		<%- end %>
 	//]]></script>
 	<% end -%>
diff --git a/modules/luci-base/luasrc/view/csrftoken.htm b/modules/luci-base/luasrc/view/csrftoken.htm
new file mode 100644
index 0000000000..57ac03f3bf
--- /dev/null
+++ b/modules/luci-base/luasrc/view/csrftoken.htm
@@ -0,0 +1,24 @@
+<%#
+ Copyright 2015 Jo-Philipp Wich <jow@openwrt.org>
+ Licensed to the public under the Apache License 2.0.
+-%>
+
+<%+header%>
+
+<h2 name="content"><%:Form token mismatch%></h2>
+<br />
+
+<p class="alert-message"><%:The submitted security token is invalid or already expired!%></p>
+
+<p><%:
+	In order to prevent unauthorized access to the system, your request has
+	been blocked. Click "Continue »" below to return to the previous page.
+%></p>
+
+<hr />
+
+<p class="right">
+	<strong><a href="#" onclick="window.history.back();">Continue »</a></strong>
+</p>
+
+<%+footer%>
diff --git a/modules/luci-base/luasrc/view/error404.htm b/modules/luci-base/luasrc/view/error404.htm
index c2be29ed58..bc74226830 100644
--- a/modules/luci-base/luasrc/view/error404.htm
+++ b/modules/luci-base/luasrc/view/error404.htm
@@ -5,7 +5,7 @@
 -%>
 
 <%+header%>
-<h2><a id="content" name="content">404 <%:Not Found%></a></h2>
+<h2 name="content">404 <%:Not Found%></h2>
 <p><%:Sorry, the object you requested was not found.%></p>
 <tt><%:Unable to dispatch%>: <%=luci.http.request.env.PATH_INFO%></tt>
 <%+footer%>
diff --git a/modules/luci-base/luasrc/view/error500.htm b/modules/luci-base/luasrc/view/error500.htm
index 8fb18ed076..34a52cda84 100644
--- a/modules/luci-base/luasrc/view/error500.htm
+++ b/modules/luci-base/luasrc/view/error500.htm
@@ -5,7 +5,7 @@
 -%>
 
 <%+header%>
-<h2><a id="content" name="content">500 <%:Internal Server Error%></a></h2>
+<h2 name="content">500 <%:Internal Server Error%></h2>
 <p><%:Sorry, the server encountered an unexpected error.%></p>
 <pre class="error500"><%=message%></pre>
 <%+footer%>
diff --git a/modules/luci-base/luasrc/view/sysauth.htm b/modules/luci-base/luasrc/view/sysauth.htm
index 7f0f0a622b..e207504911 100644
--- a/modules/luci-base/luasrc/view/sysauth.htm
+++ b/modules/luci-base/luasrc/view/sysauth.htm
@@ -8,7 +8,7 @@
 
 <form method="post" action="<%=pcdata(luci.http.getenv("REQUEST_URI"))%>">
 	<div class="cbi-map">
-		<h2><a id="content" name="content"><%:Authorization Required%></a></h2>
+		<h2 name="content"><%:Authorization Required%></h2>
 		<div class="cbi-map-descr">
 			<%:Please enter your username and password.%>
 			<%- if fuser then %>