From 61131a0d088c5fd27e99291714903050ddb0d41a Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/dhcp/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 dhcp-edithost-html.lsp    | 2 +-
 dhcp-editsubnet-html.lsp  | 2 +-
 dhcp-home-html.lsp        | 4 ++--
 dhcp-listhosts-html.lsp   | 6 +++---
 dhcp-listsubnets-html.lsp | 6 +++---
 dhcp-settings-html.lsp    | 2 +-
 6 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/dhcp-edithost-html.lsp b/dhcp-edithost-html.lsp
index cc440c3..6cf60fb 100644
--- a/dhcp-edithost-html.lsp
+++ b/dhcp-edithost-html.lsp
@@ -2,7 +2,7 @@
 require("viewfunctions")
 %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	if page_info.action == "edithost" then
diff --git a/dhcp-editsubnet-html.lsp b/dhcp-editsubnet-html.lsp
index c458e19..e848d79 100644
--- a/dhcp-editsubnet-html.lsp
+++ b/dhcp-editsubnet-html.lsp
@@ -2,7 +2,7 @@
 require("viewfunctions")
 %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	if page_info.action == "editsubnet" then
diff --git a/dhcp-home-html.lsp b/dhcp-home-html.lsp
index 9c24dcf..560b2f6 100644
--- a/dhcp-home-html.lsp
+++ b/dhcp-home-html.lsp
@@ -11,8 +11,8 @@ end %>
 
 <DL>
 <dt>Edit global settings</dt>
-<dd><form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/settings" %>" method="POST">
-<input class="hidden" type="hidden"  name="redir"  value="<%= page_info.orig_action %>" >
+<dd><form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/settings") %>" method="POST">
+<input class="hidden" type="hidden"  name="redir"  value="<%= html.html_escape(page_info.orig_action) %>" >
 <input type=submit value="Edit" class="submit">
 </form></dd>
 </DL>
diff --git a/dhcp-listhosts-html.lsp b/dhcp-listhosts-html.lsp
index 6b92ecb..7a8dfd1 100644
--- a/dhcp-listhosts-html.lsp
+++ b/dhcp-listhosts-html.lsp
@@ -17,14 +17,14 @@
 			<%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/edithost?host="..host.."&redir="..page_info.orig_action, label="Edit "} %>
 			<%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/delhost?host="..host, label="Delete "} %>
 		</TD>
-		<TD style="white-space:nowrap;"><%= host %></TD>
+		<TD style="white-space:nowrap;"><%= html.html_escape(host) %></TD>
 	</TR>
 <% end %>
 </TABLE>
 		
 <dt>Add new host</dt>
-<dd><form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/createhost" %>" method="POST">
-<input class="hidden" type="hidden"  name="redir"  value="<%= page_info.orig_action %>" >
+<dd><form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/createhost") %>" method="POST">
+<input class="hidden" type="hidden"  name="redir"  value="<%= html.html_escape(page_info.orig_action) %>" >
 <input type=submit value="New" class="submit">
 </form></dd>
 </DL>
diff --git a/dhcp-listsubnets-html.lsp b/dhcp-listsubnets-html.lsp
index 242afe1..db302d0 100644
--- a/dhcp-listsubnets-html.lsp
+++ b/dhcp-listsubnets-html.lsp
@@ -17,14 +17,14 @@
 			<%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/editsubnet?subnet="..subnet.."&redir="..page_info.orig_action, label="Edit "} %>
 			<%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/delsubnet?subnet="..subnet.."&redir="..page_info.orig_action, label="Delete "} %>
 		</TD>
-		<TD style="white-space:nowrap;"><%= subnet %></TD>
+		<TD style="white-space:nowrap;"><%= html.html_escape(subnet) %></TD>
 	</TR>
 <% end %>
 </TABLE>
 		
 <dt>Add new subnet</dt>
-<dd><form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/createsubnet" %>" method="POST">
-<input class="hidden" type="hidden"  name="redir"  value="<%= page_info.orig_action %>" >
+<dd><form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/createsubnet") %>" method="POST">
+<input class="hidden" type="hidden"  name="redir"  value="<%= html.html_escape(page_info.orig_action) %>" >
 <input type=submit value="New" class="submit">
 </form></dd>
 </DL>
diff --git a/dhcp-settings-html.lsp b/dhcp-settings-html.lsp
index de209bf..3b1344a 100644
--- a/dhcp-settings-html.lsp
+++ b/dhcp-settings-html.lsp
@@ -1,7 +1,7 @@
 <% local form, viewlibrary, page_info = ... %>
 <% require("viewfunctions") %>
 
-<h1><%= form.label %></h1>
+<h1><%= html.html_escape(form.label) %></h1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	local order = {"domainname", "domainnameservers", "dnsupdatestyle", "defleasetime", "maxleasetime"}
-- 
cgit v1.2.3