From 32f0ff25a2ef28b58eae62688ecdb9d23dc91df0 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Mon, 29 Mar 2021 11:45:01 +0200
Subject: luci-app-dawn: fix custom markup

 - Properly indent HTML markup
 - Replace div-based table markup with actual tables
 - Escape SSID, hostname and interface values to prevent potential XSS

Fixes: #4942
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 .../luasrc/model/cbi/dawn/dawn_hearing_map.lua     | 120 ++++++++---------
 .../luasrc/model/cbi/dawn/dawn_network.lua         | 150 ++++++++++-----------
 2 files changed, 132 insertions(+), 138 deletions(-)

(limited to 'applications/luci-app-dawn')
diff --git a/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_hearing_map.lua b/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_hearing_map.lua
index 844fa72c43..d277865503 100644
--- a/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_hearing_map.lua
+++ b/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_hearing_map.lua
@@ -4,69 +4,65 @@ m.pageaction = false
 s = m:section(NamedSection, "__hearingmap__")
 
 function s.render(self, sid)
-    local tpl = require "luci.template"
-    tpl.render_string([[
-        <%
-        local utl = require "luci.util"
-        local status = require "luci.tools.ieee80211"
-        local stat = utl.ubus("dawn", "get_hearing_map", { })
-        local name, macs
+	local tpl = require "luci.template"
+	tpl.render_string([[
+		<%
+			local utl = require "luci.util"
+			local xml = require "luci.xml"
+			local status = require "luci.tools.ieee80211"
+			local stat = utl.ubus("dawn", "get_hearing_map", { })
+			local name, macs
 
-        for name, macs in pairs(stat) do
-        %>
-        <div class="cbi-section-node">
-	        <h3>SSID: <%= name %></h3>
-            <div class="table" id="dawn_hearing_map">
-		        <div class="tr table-titles">
-                    <div class="th">Client MAC</div>
-                    <div class="th">AP MAC</div>
-                    <div class="th">Frequency</div>
-                    <div class="th">HT Sup</div>
-                    <div class="th">VHT Sup</div>
-                    <div class="th">Signal</div>
-                    <div class="th">RCPI</div>
-                    <div class="th">RSNI</div>
-                    <div class="th">Channel Utilization</div>
-                    <div class="th">Station connect to AP</div>
-                    <div class="th">Score</div>
-                </div>
-                <%
-                local mac, data
-                for mac, data in pairs(macs) do
-                    local mac2, data2
-                    local count_loop = 0
+			for name, macs in pairs(stat) do
+		%>
+			<div class="cbi-section-node">
+				<h3>SSID: <%= xml.pcdata(name) %></h3>
+				<table class="table" id="dawn_hearing_map">
+					<tr class="tr table-titles">
+						<th class="th">Client MAC</th>
+						<th class="th">AP MAC</th>
+						<th class="th">Frequency</th>
+						<th class="th">HT Sup</th>
+						<th class="th">VHT Sup</th>
+						<th class="th">Signal</th>
+						<th class="th">RCPI</th>
+						<th class="th">RSNI</th>
+						<th class="th">Channel Utilization</th>
+						<th class="th">Station connect to AP</th>
+						<th class="th">Score</th>
+					</tr>
+					<%
+						local mac, data
+						for mac, data in pairs(macs) do
 
-                    for mac2, data2 in pairs(data) do
-                %>
-                        <div class="tr">
-                            <% if (count_loop == 0) then %>
-                                <div class="td"><%= mac %></div>
-                            <% else %>
-                                <div></div>
-                            <% end %>
-                            <div class="td"><%= mac2 %></div>
-                            <div class="td"><%= "%.3f" %( data2.freq / 1000 ) %> GHz Channel: <%= "%d" %( status.frequency_to_channel(data2.freq) ) %></div>
-                            <div class="td"><%= (data2.ht_capabilities == true and data2.ht_support == true) and "True" or "False" %></div>
-                            <div class="td"><%= (data2.vht_capabilities == true and data2.vht_support == true) and "True" or "False" %></div>
-                            <div class="td"><%= "%d" %data2.signal %></div>
-                            <div class="td"><%= "%d" %data2.rcpi %></div>
-                            <div class="td"><%= "%d" %data2.rsni %></div>
-                            <div class="td"><%= "%.2f" %(data2.channel_utilization / 2.55) %> %</div>
-                            <div class="td"><%= "%d" %data2.num_sta %></div>
-                            <div class="td"><%= "%d" %data2.score %></div>
-                        </div>
-			    <%
-			            count_loop = count_loop + 1
-                    end
-                end
-                %>
-            </div>
-        </div>
-        <%
-        end
-        %>
-    </div>
-    ]])
+							local mac2, data2
+							local count_loop = 0
+							for mac2, data2 in pairs(data) do
+					%>
+						<tr class="tr">
+							<td class="td"><%= (count_loop == 0) and mac or "" %></td>
+							<td class="td"><%= mac2 %></td>
+							<td class="td"><%= "%.3f" %( data2.freq / 1000 ) %> GHz Channel: <%= "%d" %( status.frequency_to_channel(data2.freq) ) %></td>
+							<td class="td"><%= (data2.ht_capabilities == true and data2.ht_support == true) and "True" or "False" %></td>
+							<td class="td"><%= (data2.vht_capabilities == true and data2.vht_support == true) and "True" or "False" %></td>
+							<td class="td"><%= "%d" % data2.signal %></td>
+							<td class="td"><%= "%d" % data2.rcpi %></td>
+							<td class="td"><%= "%d" % data2.rsni %></td>
+							<td class="td"><%= "%.2f" % (data2.channel_utilization / 2.55) %> %</td>
+							<td class="td"><%= "%d" % data2.num_sta %></td>
+							<td class="td"><%= "%d" % data2.score %></td>
+						</tr>
+					<%
+								count_loop = count_loop + 1
+							end
+						end
+					%>
+				</table>
+			</div>
+		<%
+			end
+		%>
+	]])
 end
 
-return m
\ No newline at end of file
+return m
diff --git a/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_network.lua b/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_network.lua
index 222778162b..6b6d6e346f 100644
--- a/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_network.lua
+++ b/applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_network.lua
@@ -9,86 +9,84 @@ function s.render(self, sid)
 	local utl = require "luci.util"
 	tpl.render_string([[
 		<%
-	    local status = require "luci.tools.ieee80211"
-		local utl = require "luci.util"
-		local sys = require "luci.sys"
-		local hosts = sys.net.host_hints()
-		local stat = utl.ubus("dawn", "get_network", { })
-		local name, macs
-		for name, macs in pairs(stat) do
+			local status = require "luci.tools.ieee80211"
+			local utl = require "luci.util"
+			local sys = require "luci.sys"
+			local xml = require "luci.xml"
+			local hosts = sys.net.host_hints()
+			local stat = utl.ubus("dawn", "get_network", { })
+			local name, macs
+			for name, macs in pairs(stat) do
 		%>
-
 			<div class="cbi-section-node">
-	        <h3>SSID: <%= name %></h3>
-			<div class="table" id=network_overview_main">
-				<div class="tr table-titles">
-					<div class="th">AP</div>
-					<div class="th">Clients</div>
-				</div>
-			<%
-			local mac, data
-			for mac, data in pairs(macs) do
-			%>
-				<div class="tr">
-					<div class="td" style="vertical-align: top;">
-						<div class="table" id="ap-<%= mac %>">
-							<div class="tr table-titles">
-								<div class="th">Hostname</div>
-								<div class="th">Interface</div>
-								<div class="th">MAC</div>
-								<div class="th">Utilization</div>
-								<div class="th">Frequency</div>
-								<div class="th">Stations</div>
-								<div class="th">HT Sup</div>
-								<div class="th">VHT Sup</div>
-							</div>
-							<div class="tr">
-								<div class="td"><%= data.hostname %></div>
-								<div class="td"><%= data.iface %></div>
-								<div class="td"><%= mac %></div>
-								<div class="td"><%= "%.2f" %(data.channel_utilization / 2.55) %> %</div>
-								<div class="td"><%= "%.3f" %( data.freq / 1000 ) %> GHz (Channel: <%= "%d" %( status.frequency_to_channel(data.freq) ) %>)</div>
-								<div class="td"><%= "%d" %data.num_sta %></div>
-								<div class="td"><%= (data.ht_support == true) and "available" or "not available" %></div>
-								<div class="td"><%= (data.vht_support == true) and "available" or "not available" %></div>
-							</div>
-							</div>
-						</div>
-					<div class="td" style="vertical-align: top;">
-						<div class="table" id="clients-<%= mac %>">
-							<div class="tr table-titles">
-								<div class="th">MAC</div>
-								<div class="th">HT</div>
-								<div class="th">VHT</div>
-								<div class="th">Signal</div>
-							</div>
-							<%
-							local mac2, data2
-							for clientmac, clientvals in pairs(data) do
-								if (type(clientvals) == "table") then
-							%>
-								<div class="tr">
-									<div class="td"><%= clientmac %></div>
-									<div class="td"><%= (clientvals.ht == true) and "available" or "not available" %></div>
-									<div class="td"><%= (clientvals.vht == true) and "available" or "not available" %></div>
-									<div class="td"><%= "%d" %clientvals.signal %></div>
-								</div>
-								<%
-								end
-								%>
-							<%
-							end
-							%>
-							</div>
-						</div>
-					</div>
-			<%
-			end
-			%>
-			</div>
+				<h3>SSID: <%= xml.pcdata(name) %></h3>
+				<table class="table" id=network_overview_main">
+					<tr class="tr table-titles">
+						<th class="th">AP</th>
+						<th class="th">Clients</th>
+					</tr>
+					<%
+						local mac, data
+						for mac, data in pairs(macs) do
+					%>
+						<tr class="tr">
+							<td class="td" style="vertical-align: top;">
+								<table class="table" id="ap-<%= mac %>">
+									<tr class="tr table-titles">
+										<th class="th">Hostname</th>
+										<th class="th">Interface</th>
+										<th class="th">MAC</th>
+										<th class="th">Utilization</th>
+										<th class="th">Frequency</th>
+										<th class="th">Stations</th>
+										<th class="th">HT Sup</th>
+										<th class="th">VHT Sup</th>
+									</tr>
+									<tr class="tr">
+										<td class="td"><%= xml.pcdata(data.hostname) %></td>
+										<td class="td"><%= xml.pcdata(data.iface) %></td>
+										<td class="td"><%= mac %></td>
+										<td class="td"><%= "%.2f" %(data.channel_utilization / 2.55) %> %</td>
+										<td class="td"><%= "%.3f" %( data.freq / 1000 ) %> GHz (Channel: <%= "%d" %( status.frequency_to_channel(data.freq) ) %>)</td>
+										<td class="td"><%= "%d" % data.num_sta %></td>
+										<td class="td"><%= (data.ht_support == true) and "available" or "not available" %></td>
+										<td class="td"><%= (data.vht_support == true) and "available" or "not available" %></td>
+									</tr>
+								</table>
+							</td>
+							<td class="td" style="vertical-align: top;">
+								<table class="table" id="clients-<%= mac %>">
+									<tr class="tr table-titles">
+										<th class="th">MAC</th>
+										<th class="th">HT</th>
+										<th class="th">VHT</th>
+										<th class="th">Signal</th>
+									</tr>
+									<%
+										local mac2, data2
+										for clientmac, clientvals in pairs(data) do
+											if (type(clientvals) == "table") then
+									%>
+										<tr class="tr">
+											<td class="td"><%= clientmac %></td>
+											<td class="td"><%= (clientvals.ht == true) and "available" or "not available" %></td>
+											<td class="td"><%= (clientvals.vht == true) and "available" or "not available" %></td>
+											<td class="td"><%= "%d" % clientvals.signal %></td>
+										</tr>
+									<%
+											end
+										end
+									%>
+								</table>
+							</td>
+						</tr>
+					<%
+						end
+					%>
+				</table>
 			</div>
 		<%
-		end
+			end
 		%>
 	]])
 end
-- 
cgit v1.2.3

