From cee2ffc44ecdfb63f98aa1dd1d3f930737a8e68c Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/devtools/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 acfupdate-html.lsp | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/acfupdate-html.lsp b/acfupdate-html.lsp
index b612f6d..aa5683e 100644
--- a/acfupdate-html.lsp
+++ b/acfupdate-html.lsp
@@ -14,10 +14,10 @@ require("viewfunctions")
 	end
 	if #cmdresult > 0 then
 		for i,result in ipairs(cmdresult) do
-			io.write("<H1>"..result.label.."</H1>\n<DL>\n")
+			io.write("<H1>"..html.html_escape(result.label).."</H1>\n<DL>\n")
 			for i,value in ipairs(result.value) do
 				if value.updates ~= "" then %>
-<H3><%= value.name %></H3>
+<H3><%= html.html_escape(value.name) %></H3>
 <pre><%= html.html_escape(value.updates) %></pre>
 				<% end
 			end
@@ -32,7 +32,7 @@ require("viewfunctions")
 displayitem(data.value.version)
 if data.value.version and data.value.version.errtxt and session.permissions.apk and session.permissions.apk.install then
 %>
-	<a href="<%= page_info.script %>/apk-tools/apk/install?package=<%= data.value.version.name %>&redir=<%= page_info.orig_action %>">Install</a>
+	<a href="<%= html.html_escape(page_info.script) %>/apk-tools/apk/install?package=<%= html.html_escape(data.value.version.name) %>&redir=<%= html.html_escape(page_info.orig_action) %>">Install</a>
 <%
 end
 displayitem(data.value.repository)
@@ -44,32 +44,32 @@ displayitem(data.value.repository)
 <DL>
 <DT>View Status</DT> 
 <DD>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/status" %>" method="POST">
-<input type=hidden value="<%= data.value.repository.value %>" name="repository">
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/status") %>" method="POST">
+<input type=hidden value="<%= html.html_escape(data.value.repository.value) %>" name="repository">
 <input type=submit class=submit value="View Status">
 </form>
 </DD>
 <% if session.permissions.acfupdate.diff then %>
 <DT>View Diff</DT> 
 <DD>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/diff" %>" method="POST">
-<input type=hidden value="<%= data.value.repository.value %>" name="repository">
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/diff") %>" method="POST">
+<input type=hidden value="<%= html.html_escape(data.value.repository.value) %>" name="repository">
 <input type=submit class=submit value="View Diff">
 </form>
 </DD>
 <% end %>
 <DT>View Log</DT>
 <DD>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/log" %>" method="POST">
-<input type=hidden value="<%= data.value.repository.value %>" name="repository">
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/log") %>" method="POST">
+<input type=hidden value="<%= html.html_escape(data.value.repository.value) %>" name="repository">
 <input type=submit class=submit value="View Log">
 </form>
 </DD>
 <% if session.permissions.acfupdate.update then %>
 <DT>Update</DT> 
 <DD>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/update" %>" method="POST">
-<input type=hidden value="<%= data.value.repository.value %>" name="repository">
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/update") %>" method="POST">
+<input type=hidden value="<%= html.html_escape(data.value.repository.value) %>" name="repository">
 <input type=submit class=submit value="Update">
 </form>
 </DD>
-- 
cgit v1.2.3