From 90e9b462507fb48a4600e7e18dd643c9c174506b Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/chrony/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 chrony-details-html.lsp   | 2 +-
 chrony-keyfile-html.lsp   | 2 +-
 chrony-startstop-html.lsp | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/chrony-details-html.lsp b/chrony-details-html.lsp
index 43e00d6..fb74521 100644
--- a/chrony-details-html.lsp
+++ b/chrony-details-html.lsp
@@ -11,7 +11,7 @@ io.write("</span>")
 
 <% viewlibrary.dispatch_component("status") %>
 
-<H2><%= data.label %></H2>
+<H2><%= html.html_escape(data.label) %></H2>
 <DL>
 <% displayitem(data.value.time) %>
 <% displayitem(data.value.sources) %>
diff --git a/chrony-keyfile-html.lsp b/chrony-keyfile-html.lsp
index 9d1188c..50420b6 100644
--- a/chrony-keyfile-html.lsp
+++ b/chrony-keyfile-html.lsp
@@ -8,7 +8,7 @@
 <%
 	displayitem(form.value.status)
 	if form.value.status.errtxt then %>
-<dt></dt><dd><form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/enablekeyfile" %>">
+<dt></dt><dd><form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/enablekeyfile") %>">
 <input class="submit" type="submit" value="Enable"></form></dd>
 <%	end
 %>
diff --git a/chrony-startstop-html.lsp b/chrony-startstop-html.lsp
index 2dafac5..7ad44f3 100644
--- a/chrony-startstop-html.lsp
+++ b/chrony-startstop-html.lsp
@@ -2,7 +2,7 @@
 
 <H1>Management</H1>
 <DL>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>" method="POST">
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>" method="POST">
 <DT>Program control-panel</DT>
 <DD>
 <input class="submit" type="submit" name="action" value="Start" <% if data.value.status.value== "Running" then io.write("disabled") end %>>
@@ -20,9 +20,9 @@
 <DT>Previous action result</DT>
 <DD>
 <% if data.value.result.value ~= "" then %>
-<P CLASS='descr'><%= string.gsub(data.value.result.value, "\n", "<BR>") %></P>
+<P CLASS='descr'><%= string.gsub(html.html_escape(data.value.result.value), "\n", "<BR>") %></P>
 <% end if data.value.result.errtxt then %>
-<P CLASS='error'><%= string.gsub(data.value.result.errtxt, "\n", "<BR>") %></P>
+<P CLASS='error'><%= string.gsub(html.html_escape(data.value.result.errtxt), "\n", "<BR>") %></P>
 <% end end %>
 </DD>
 </DL>
-- 
cgit v1.2.3