From 74ba25c9093b0bf9c59a838f51047fab3f8a6fec Mon Sep 17 00:00:00 2001 From: Tim Wilkinson Date: Sun, 13 Mar 2022 08:11:22 -0700 Subject: [PATCH] Add missing escapes for contact and node descriptions (#289) --- files/www/cgi-bin/setup | 3 +++ files/www/cgi-bin/vpn | 4 +++- files/www/cgi-bin/vpnc | 4 +++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/files/www/cgi-bin/setup b/files/www/cgi-bin/setup index cf618505..bd65c29a 100755 --- a/files/www/cgi-bin/setup +++ b/files/www/cgi-bin/setup @@ -681,6 +681,9 @@ if parms.button_save then parms.wifi3_key = s2h(wifi3_key) parms.wifi3_ssid = s2h(wifi3_ssid) + -- escape and limit description + parms.description_node = parms.description_node:sub(1,210):gsub('"',"""):gsub("'","'"):gsub("<","<"):gsub(">",">") + -- save_setup local f = io.open("/etc/config.mesh/_setup", "w") if f then diff --git a/files/www/cgi-bin/vpn b/files/www/cgi-bin/vpn index e8bc12e0..de0e19f3 100755 --- a/files/www/cgi-bin/vpn +++ b/files/www/cgi-bin/vpn @@ -242,7 +242,7 @@ if config == "" or nixio.fs.stat("/tmp/reboot-required") then html.alert_banner() html.print("
") navbar(); - hrml.print("

") + html.print("

") if config == "" then html.print("This page is not available until the configuration has been set.") else @@ -330,6 +330,8 @@ do parms[varname] = "0" elseif not parms[varname] then parms[varname] = "" + elseif var == "contact" then + parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", ""):sub(1,210):gsub('"',"""):gsub("'","'"):gsub("<","<"):gsub(">",">") else parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", "") end diff --git a/files/www/cgi-bin/vpnc b/files/www/cgi-bin/vpnc index 336867e3..e0c0b174 100755 --- a/files/www/cgi-bin/vpnc +++ b/files/www/cgi-bin/vpnc @@ -226,7 +226,7 @@ if config == "" or nixio.fs.stat("/tmp/reboot-required") then html.alert_banner() html.print("") navbar(); - hrml.print("

") + html.print("

") if config == "" then html.print("This page is not available until the configuration has been set.") else @@ -325,6 +325,8 @@ do parms[varname] = "0" elseif not parms[varname] then parms[varname] = "" + elseif var == "contact" then + parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", ""):sub(1,210):gsub('"',"""):gsub("'","'"):gsub("<","<"):gsub(">",">") else parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", "") end