Add missing escapes for contact and node descriptions (#289)

2022-03-13 08:11:22 -07:00 · 2022-03-13 08:11:22 -07:00 · 74ba25c909
parent 64d315ada5
commit 74ba25c909
3 changed files with 9 additions and 2 deletions
--- a/files/www/cgi-bin/setup
+++ b/files/www/cgi-bin/setup
@ -681,6 +681,9 @@ if parms.button_save then
        parms.wifi3_key = s2h(wifi3_key)
        parms.wifi3_ssid = s2h(wifi3_ssid)

+        -- escape and limit description
+        parms.description_node = parms.description_node:sub(1,210):gsub('"',"&quot;"):gsub("'","&apos;"):gsub("<","&lt;"):gsub(">","&gt;")
+
        -- save_setup
        local f = io.open("/etc/config.mesh/_setup", "w")
        if f then
--- a/files/www/cgi-bin/vpn
+++ b/files/www/cgi-bin/vpn
@ -242,7 +242,7 @@ if config == "" or nixio.fs.stat("/tmp/reboot-required") then
    html.alert_banner()
    html.print("<table width=790><tr><td>")
    navbar();
-    hrml.print("</td></tr><tr><td align=center><br>")
+    html.print("</td></tr><tr><td align=center><br>")
    if config == "" then
        html.print("<b>This page is not available until the configuration has been set.</b>")
    else
@ -330,6 +330,8 @@ do
                parms[varname] = "0"
            elseif not parms[varname] then
                parms[varname] = ""
+            elseif var == "contact" then
+                parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", ""):sub(1,210):gsub('"',"&quot;"):gsub("'","&apos;"):gsub("<","&lt;"):gsub(">","&gt;")
            else
                parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", "")
            end
--- a/files/www/cgi-bin/vpnc
+++ b/files/www/cgi-bin/vpnc
@ -226,7 +226,7 @@ if config == "" or nixio.fs.stat("/tmp/reboot-required") then
    html.alert_banner()
    html.print("<table width=790>")
    navbar();
-    hrml.print("</td></tr><tr><td align=center><br>")
+    html.print("</td></tr><tr><td align=center><br>")
    if config == "" then
        html.print("<b>This page is not available until the configuration has been set.</b>")
    else
@ -325,6 +325,8 @@ do
                parms[varname] = "0"
            elseif not parms[varname] then
                parms[varname] = ""
+            elseif var == "contact" then
+                parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", ""):sub(1,210):gsub('"',"&quot;"):gsub("'","&apos;"):gsub("<","&lt;"):gsub(">","&gt;")
            else
                parms[varname] = parms[varname]:gsub("^%s+", ""):gsub("%s+$", "")
            end