From 3c67f77555e636f949588c049c2074c70a1cbe33 Mon Sep 17 00:00:00 2001 From: Ted Trask Date: Thu, 15 Jan 2009 21:44:39 +0000 Subject: Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them. git-svn-id: svn://svn.alpinelinux.org/acf/alpine-baselayout/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed --- cron-listjobs-html.lsp | 4 ++-- health-modules-html.lsp | 2 +- health-network-html.lsp | 4 ++-- health-networkstats-html.lsp | 15 ++++++++++----- health-proc-html.lsp | 4 ++-- health-storage-html.lsp | 14 +++++++------- health-system-html.lsp | 14 +++++++------- hostname-html.lsp | 2 +- interfaces-read-html.lsp | 18 +++++++++--------- interfaces-update-html.lsp | 2 +- logfiles-status-html.lsp | 6 +++--- logfiles-tail-html.lsp | 4 ++-- logfiles-view-html.lsp | 6 +++--- modules-edit-html.lsp | 4 ++-- modules-status-html.lsp | 2 +- password-edit-html.lsp | 2 +- rc-edit-html.lsp | 2 +- rc-status-html.lsp | 18 +++++++++--------- skins-read-html.lsp | 4 ++-- 19 files changed, 66 insertions(+), 61 deletions(-) diff --git a/cron-listjobs-html.lsp b/cron-listjobs-html.lsp index 6f21673..d9705e0 100644 --- a/cron-listjobs-html.lsp +++ b/cron-listjobs-html.lsp @@ -10,7 +10,7 @@ end %>

Cron Jobs

<% for i,tabl in ipairs(view.value) do %> -

<%= tabl.period %>

+

<%= html.html_escape(tabl.period) %>

<% if #tabl.jobs == 0 then %> No jobs <% else %> @@ -25,7 +25,7 @@ No jobs <%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/editjob?name="..job.."&redir="..page_info.orig_action, label="Edit "} %> <%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/deletejob?name="..job, label="Delete "} %> - <%= string.gsub(job, "^.*/", "") %> + <%= html.html_escape(string.gsub(job, "^.*/", "")) %> <% end %> diff --git a/health-modules-html.lsp b/health-modules-html.lsp index ee6e0ad..5ffcf97 100644 --- a/health-modules-html.lsp +++ b/health-modules-html.lsp @@ -3,4 +3,4 @@

Modules

Installed modules

-
<%= view.value.list.value %>
+
<%= html.html_escape(view.value.list.value) %>
diff --git a/health-network-html.lsp b/health-network-html.lsp index d97322a..5d97a9e 100644 --- a/health-network-html.lsp +++ b/health-network-html.lsp @@ -3,7 +3,7 @@

Network

Interface status

-
<%= view.value.interfaces.value %>
+
<%= html.html_escape(view.value.interfaces.value) %>

Routes

-
<%= view.value.routes.value %>
+
<%= html.html_escape(view.value.routes.value) %>
diff --git a/health-networkstats-html.lsp b/health-networkstats-html.lsp index a19f71d..22b0a86 100644 --- a/health-networkstats-html.lsp +++ b/health-networkstats-html.lsp @@ -43,7 +43,7 @@ function Update(){ $.ajaxSetup({cache:false}); $.getJSON( - '<%= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>', + '<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>', {viewtype:'json'}, function(data) { if (lastdata != null){ @@ -100,16 +100,21 @@

Network Statistics

Network traffic in bytes/second -
-
+ + + +
+
+ +
Display Options
<% for intf,val in pairs(view.value) do local ipaddr = "" if val.ipaddr then ipaddr = " ("..val.ipaddr..")" end %> - - + + <% end %>
checked="checked"><%= intf.." RX"..ipaddr %> checked="checked"><%= intf.." TX"..ipaddr %>
checked="checked"><%= html.html_escape(intf).." RX"..html.html_escape(ipaddr) %> checked="checked"><%= html.html_escape(intf).." TX"..html.html_escape(ipaddr) %>
Start / Stop
diff --git a/health-proc-html.lsp b/health-proc-html.lsp index 6e52d21..3105a1c 100644 --- a/health-proc-html.lsp +++ b/health-proc-html.lsp @@ -3,7 +3,7 @@

Process information

Processor

-
<%= view.value.processor.value %>
+
<%= html.html_escape(view.value.processor.value) %>

Memory

-
<%= view.value.memory.value %>
+
<%= html.html_escape(view.value.memory.value) %>
diff --git a/health-storage-html.lsp b/health-storage-html.lsp index cd9162e..bd2a20a 100644 --- a/health-storage-html.lsp +++ b/health-storage-html.lsp @@ -1,22 +1,22 @@ <% local view = ... %> <% displaydisk = function(disk, name) -io.write("
"..disk.value.."
\n") +io.write("
"..html.html_escape(disk.value).."
\n") io.write('\n') io.write(" \n") io.write(" \n") if tonumber(disk.used) > 0 then - io.write(' \n') end if tonumber(disk.used) < 100 then - io.write(' \n') end io.write(' \n') @@ -24,7 +24,7 @@ io.write(" \n") io.write("
0%
') - if ( tonumber(disk.used) > 10) then io.write(disk.used .. "%") end + if ( tonumber(disk.used) > 10) then io.write(html.html_escape(disk.used) .. "%") end io.write('
') - if ( 90 > tonumber(disk.used)) then io.write((100-disk.used) .. "%") end + if ( 90 > tonumber(disk.used)) then io.write((100-tonumber(disk.used)) .. "%") end io.write('
100%
\n") io.write('\n') io.write(" \n") -io.write(' \n') +io.write(' \n') io.write(" \n") io.write("
'..name..'=Used=Free'..html.html_escape(name)..'=Used=Free
\n") end %> @@ -60,6 +60,6 @@ No RAM Disk mounted <% if view.value.partitions then %>

Disk partitions

-
<%= view.value.partitions.value %>
+
<%= html.html_escape(view.value.partitions.value) %>
<% end %> diff --git a/health-system-html.lsp b/health-system-html.lsp index 8ee3572..9fcea6f 100644 --- a/health-system-html.lsp +++ b/health-system-html.lsp @@ -3,22 +3,22 @@

System

Versions and names

-
<%= view.value.version.value %>
-
<%= view.value.uname.value %>
+
<%= html.html_escape(view.value.version.value) %>
+
<%= html.html_escape(view.value.uname.value) %>

Uptime

-
<%= view.value.uptime.value %>
+
<%= html.html_escape(view.value.uptime.value) %>

Time/TimeZone

-
<%= view.value.date.value %>
-
<%= view.value.timezone.value %>
+
<%= html.html_escape(view.value.date.value) %>
+
<%= html.html_escape(view.value.timezone.value) %>

Memory

-
<%= view.value.memory.value %>
+
<%= html.html_escape(view.value.memory.value) %>
- +
0%
<% if ( tonumber(view.value.memory.used) > 10) then io.write(view.value.memory.used .. "%") end %>
<% if ( 90 > tonumber(view.value.memory.used)) then io.write((100-view.value.memory.used) .. "%") end %>
100%0%
<% if ( tonumber(view.value.memory.used) > 10) then io.write(html.html_escape(view.value.memory.used) .. "%") end %>
<% if ( 90 > tonumber(view.value.memory.used)) then io.write((100-tonumber(view.value.memory.used)) .. "%") end %>
100%
diff --git a/hostname-html.lsp b/hostname-html.lsp index cae18ae..52238b3 100644 --- a/hostname-html.lsp +++ b/hostname-html.lsp @@ -1,7 +1,7 @@ <% local view = ... %> <% require("viewfunctions") %> -

<%= view.label %>

+

<%= html.html_escape(view.label) %>

<% displayitem(view) %>
diff --git a/interfaces-read-html.lsp b/interfaces-read-html.lsp index d0984dc..7504a1f 100644 --- a/interfaces-read-html.lsp +++ b/interfaces-read-html.lsp @@ -11,10 +11,10 @@ io.write("") <% showoption = function(option) if option.errtxt or option.value ~= "" then %> - + <% end %> <% end %> @@ -29,7 +29,7 @@ end %>
<% for i,entry in ipairs(view.value) do local interface = entry.value %> -
<%= interface.name.value %>
+
<%= html.html_escape(interface.name.value) %>
<%= option.label %>
<%= html.html_escape(option.label) %> > - <%= string.gsub(tostring(option.value), "\n", "
") %> - <% if option.errtxt then io.write("
"..option.errtxt) end %> + <%= string.gsub(html.html_escape(tostring(option.value)), "\n", "
") %> + <% if option.errtxt then io.write("
"..html.html_escape(option.errtxt)) end %>
<% @@ -42,16 +42,16 @@ end %> end %> <% if session.permissions.interfaces.update then %> - Edit + Edit <% end if session.permissions.interfaces.delete then %> - Delete + Delete <% end if session.permissions.interfaces.ifup then %> - ifup + ifup <% end if session.permissions.interfaces.ifdown then %> - ifdown + ifdown <% end %>
@@ -63,5 +63,5 @@ end %>

WARNING!!! Restarting networking may cause the ACF web interface to stop functioning. Try refreshing this page after restarting. If that fails, you may have to use terminal access to recover.

Restart Networking
-
">
+
">
diff --git a/interfaces-update-html.lsp b/interfaces-update-html.lsp index d205c03..f796beb 100644 --- a/interfaces-update-html.lsp +++ b/interfaces-update-html.lsp @@ -151,7 +151,7 @@ io.write("") --]] %> -

<%= form.label %><% if page_info.action == "update" then io.write(" - "..form.value.name.value) end %>

+

<%= html.html_escape(form.label) %><% if page_info.action == "update" then io.write(html.html_escape(" - "..form.value.name.value)) end %>

<% if page_info.action == "update" then form.value.name.readonly = true diff --git a/logfiles-status-html.lsp b/logfiles-status-html.lsp index b4e98b4..2b2fa9e 100644 --- a/logfiles-status-html.lsp +++ b/logfiles-status-html.lsp @@ -31,9 +31,9 @@ <%= html.link{value = "view?name="..file.value.filename.value, label="View" } %> <%= html.link{value = "tail?name="..file.value.filename.value, label="Tail" } %> <%= html.link{value = "download?name="..file.value.filename.value, label="Download" } %> - <%= file.value.filesize.value %> - <%= file.value.mtime.value %> - <%= file.value.filename.value %> + <%= html.html_escape(file.value.filesize.value) %> + <%= html.html_escape(file.value.mtime.value) %> + <%= html.html_escape(file.value.filename.value) %> <% end %> diff --git a/logfiles-tail-html.lsp b/logfiles-tail-html.lsp index 72725ad..94bc4a8 100644 --- a/logfiles-tail-html.lsp +++ b/logfiles-tail-html.lsp @@ -8,8 +8,8 @@ function Update(){ $.ajaxSetup({cache:false}); $.getJSON( - '<%= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>', - {name:'<% io.write(form.value.filename.value) if form.value.grep.value ~= "" then io.write("',grep:'"..form.value.grep.value) end %>', offset:currentoffset}, + '<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>', + {name:'<% io.write(html.html_escape(form.value.filename.value)) if form.value.grep.value ~= "" then io.write("',grep:'"..html.html_escape(form.value.grep.value)) end %>', offset:currentoffset}, function(data) { data.value.filecontent.value = data.value.filecontent.value.split("\n").join("
\n"); diff --git a/logfiles-view-html.lsp b/logfiles-view-html.lsp index 338a384..386eb91 100644 --- a/logfiles-view-html.lsp +++ b/logfiles-view-html.lsp @@ -23,13 +23,13 @@ end <% if form.type == "form" then %> <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %> <% displayformstart(form) %> - + <% end %> -<% if form.value.filecontent.errtxt then %>

<%= string.gsub(form.value.filecontent.errtxt, "\n", "
") %>

<% end %> -<% if form.value.filecontent.descr then %>

<%= string.gsub(form.value.filecontent.descr, "\n", "
") %>

<% end %> +<% if form.value.filecontent.errtxt then %>

<%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "
") %>

<% end %> +<% if form.value.filecontent.descr then %>

<%= string.gsub(html.html_escape(form.value.filecontent.descr), "\n", "
") %>

<% end %> <% if form.type == "form" then %>

Save

diff --git a/modules-edit-html.lsp b/modules-edit-html.lsp index 75c360f..e3c0f8d 100644 --- a/modules-edit-html.lsp +++ b/modules-edit-html.lsp @@ -27,8 +27,8 @@ displayitem(form.value.mtime) -<% if form.value.filecontent.errtxt then %>

<%= string.gsub(form.value.filecontent.errtxt, "\n", "
") %>

<% end %> -<% if form.value.filecontent.descr then %>

<%= string.gsub(form.value.filecontent.descr, "\n", "
") %>

<% end %> +<% if form.value.filecontent.errtxt then %>

<%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "
") %>

<% end %> +<% if form.value.filecontent.descr then %>

<%= string.gsub(html.html_escape(form.value.filecontent.descr), "\n", "
") %>

<% end %> <% if form.type == "form" then %>

Save

diff --git a/modules-status-html.lsp b/modules-status-html.lsp index 9854e28..8d797b5 100644 --- a/modules-status-html.lsp +++ b/modules-status-html.lsp @@ -3,4 +3,4 @@

Modules

Installed modules

-
<%= view.value %>
+
<%= html.html_escape(view.value) %>
diff --git a/password-edit-html.lsp b/password-edit-html.lsp index d9582bf..257c319 100644 --- a/password-edit-html.lsp +++ b/password-edit-html.lsp @@ -2,7 +2,7 @@ require("viewfunctions") %> -

<%= form.label %>

+

<%= html.html_escape(form.label) %>

<% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action form.value.password.type = "password" diff --git a/rc-edit-html.lsp b/rc-edit-html.lsp index ad24179..5f18a14 100644 --- a/rc-edit-html.lsp +++ b/rc-edit-html.lsp @@ -2,7 +2,7 @@ require("viewfunctions") %> -

<%= form.label %>

+

<%= html.html_escape(form.label) %>

<% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action form.value.servicename.readonly = true diff --git a/rc-status-html.lsp b/rc-status-html.lsp index 3272af0..a234798 100644 --- a/rc-status-html.lsp +++ b/rc-status-html.lsp @@ -3,15 +3,15 @@ <% if session.editresult then %>

Command Result

- <% if session.editresult.errtxt then io.write('

' .. string.gsub(session.editresult.errtxt, "\n", "
") .. "

\n") end - if session.editresult.descr then io.write('

' .. string.gsub(session.editresult.descr, "\n", "
") .. "

\n") end + <% if session.editresult.errtxt then io.write('

' .. string.gsub(html.html_escape(session.editresult.errtxt), "\n", "
") .. "

\n") end + if session.editresult.descr then io.write('

' .. string.gsub(html.html_escape(session.editresult.descr), "\n", "
") .. "

\n") end for name,val in pairs(session.editresult.value) do - if val.errtxt then io.write('

' .. string.gsub(val.errtxt, "\n", "
") .. "

\n") end + if val.errtxt then io.write('

' .. string.gsub(html.html_escape(val.errtxt), "\n", "
") .. "

\n") end end session.editresult = nil end %> -

<%= view.label %>

+

<%= html.html_escape(view.label) %>

<% if session.permissions.rc.edit then %> @@ -28,14 +28,14 @@ for i,item in ipairs(view.value) do %> for name,val in pairs(result.value) do val.name=name end if result.value.kill.value then result.value.kill.checked = "" end if result.value.system.value then result.value.system.checked = "" end %> - " method="POST"> - - + " method="POST"> + + <% else %> - - + + <% end %> <% end %>
<%= item.servicename %><%= html.form.hidden(result.value.servicename) %><%= html.form.text(result.value.sequence) %><%= html.html_escape(item.servicename) %><%= html.form.hidden(result.value.servicename) %><%= html.form.text(result.value.sequence) %> <%= html.form.checkbox(result.value.kill) %><%= html.form.checkbox(result.value.system) %>
<%= item.servicename %><%= item.sequence %><%= item.kill %><%= item.system %>
<%= html.html_escape(item.servicename) %><%= html.html_escape(item.sequence) %><%= html.html_escape(item.kill) %><%= html.html_escape(item.system) %>
diff --git a/skins-read-html.lsp b/skins-read-html.lsp index 9bb70a0..95547a5 100644 --- a/skins-read-html.lsp +++ b/skins-read-html.lsp @@ -7,11 +7,11 @@
<% for i,skin in ipairs(view.value) do %> -
<%= skin.value %>
+
<%= html.html_escape(skin.value) %>
<% if (skin.inuse) then %>
in use
<% else %> -
[use this skin]
+
[use this skin]
<% end %> <% end %>
-- cgit v1.2.3