From 76cbb205333360ae618c3b8a20faccf747039070 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 app/acf-util/roles-editrole-html.lsp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'app/acf-util/roles-editrole-html.lsp')

diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp
index 1997a97..f243ecb 100644
--- a/app/acf-util/roles-editrole-html.lsp
+++ b/app/acf-util/roles-editrole-html.lsp
@@ -5,7 +5,7 @@
 	io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	displayformstart(form, page_info)
 	-- If editing existing role, disable role
@@ -23,7 +23,7 @@
 		myitem.class = "error"
 		io.write(' class="error"')
 	end
-	io.write(">" .. myitem.label .. "</DT>\n")
+	io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n")
 	io.write("<DD>")
 	-- FIXME multiple select doesn't work in haserl, so use series of checkboxes
 	myitem.class = nil
@@ -44,7 +44,7 @@
 		myitem.checked = reverseval[val]
 		if reversedefault[val] then myitem.disabled = true else myitem.disabled = nil end
 		myitem.name = tempname .. "." .. x
-		io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+		io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n")
 	end
 	-- Check for values not in options
 	if myitem.errtxt then
@@ -55,7 +55,7 @@
 		if not reverseopt[val] then
 			myitem.value = val
 			myitem.checked = true
-			io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+			io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n")
 		end
 	end
 	if myitem.errtxt then
@@ -64,8 +64,8 @@
 	myitem.name = tempname
 	myitem.value = tempval
 
-	if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end
-	if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end
+	if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end
+	if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end
 	io.write("</DD>\n")
 
 	io.write("</DL>\n")
-- 
cgit v1.2.3