From af267177f743271990e593265ca32ce341d483d4 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/fetchmail/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 fetchmail-config-html.lsp      |  4 ++--
 fetchmail-editentry-html.lsp   |  2 +-
 fetchmail-listentries-html.lsp | 12 ++++++------
 fetchmail-startstop-html.lsp   |  6 +++---
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/fetchmail-config-html.lsp b/fetchmail-config-html.lsp
index 756281c..811fd20 100644
--- a/fetchmail-config-html.lsp
+++ b/fetchmail-config-html.lsp
@@ -11,8 +11,8 @@ end %>
 
 <DL>
 <dt>Edit global settings</dt>
-<dd><form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/editconfig" %>" method="POST">
-<input class="hidden" type="hidden"  name="redir"  value="<%= page_info.orig_action %>" >
+<dd><form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/editconfig") %>" method="POST">
+<input class="hidden" type="hidden"  name="redir"  value="<%= html.html_escape(page_info.orig_action) %>" >
 <input type=submit value="Edit" class="submit">
 </form></dd>
 </DL>
diff --git a/fetchmail-editentry-html.lsp b/fetchmail-editentry-html.lsp
index 63cbf03..07150bb 100644
--- a/fetchmail-editentry-html.lsp
+++ b/fetchmail-editentry-html.lsp
@@ -2,7 +2,7 @@
 require("viewfunctions")
 %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	if page_info.action == "editentry" then
diff --git a/fetchmail-listentries-html.lsp b/fetchmail-listentries-html.lsp
index 9ddcf64..32b550a 100644
--- a/fetchmail-listentries-html.lsp
+++ b/fetchmail-listentries-html.lsp
@@ -27,17 +27,17 @@ io.write("</span>")
 			<% io.write(html.link{value = "editentry?entry=" .. entry.entry.."&method="..entry.method.."&remotemailbox="..entry.remotemailbox.."&localdomain="..entry.localdomain.."&redir="..page_info.orig_action, label="Edit " }) %>
 			<% io.write(html.link{value = "deleteentry?entry=" .. entry.entry.."&method="..entry.method.."&remotemailbox="..entry.remotemailbox.."&localdomain="..entry.localdomain, label="Delete " }) %>
 		</TD>
-		<TD style="padding-right:20px;white-space:nowrap;"><%= entry.entry %></TD>
-		<TD style="padding-right:20px;white-space:nowrap;"><%= entry.enabled %></TD>
-		<TD style="padding-right:20px;white-space:nowrap;"><%= entry.method %></TD>
-		<TD style="white-space:nowrap;" width="90%"><% if entry.localdomain and entry.localdomain ~= "" then io.write(entry.localdomain) else io.write(entry.remotemailbox) end %></TD>
+		<TD style="padding-right:20px;white-space:nowrap;"><%= html.html_escape(entry.entry) %></TD>
+		<TD style="padding-right:20px;white-space:nowrap;"><%= html.html_escape(entry.enabled) %></TD>
+		<TD style="padding-right:20px;white-space:nowrap;"><%= html.html_escape(entry.method) %></TD>
+		<TD style="white-space:nowrap;" width="90%"><% if entry.localdomain and entry.localdomain ~= "" then io.write(html.html_escape(entry.localdomain)) else io.write(html.html_escape(entry.remotemailbox)) end %></TD>
 	</TR>
 <% end %>
 </TABLE>
 
 <DT>Add new entry</DT>
-<DD><form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/createentry" %>" method="POST">
-<input class="hidden" type="hidden"  name="redir"  value="<%= page_info.orig_action %>" >
+<DD><form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/createentry") %>" method="POST">
+<input class="hidden" type="hidden"  name="redir"  value="<%= html.html_escape(page_info.orig_action) %>" >
 <input type=submit value="New" class="submit">
 </form></DD>
 </DL>
diff --git a/fetchmail-startstop-html.lsp b/fetchmail-startstop-html.lsp
index bd4c275..48ca35d 100644
--- a/fetchmail-startstop-html.lsp
+++ b/fetchmail-startstop-html.lsp
@@ -2,7 +2,7 @@
 
 <H1>Management</H1>
 <DL>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>" method="POST">
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>" method="POST">
 <DT>Program control-panel</DT>
 <DD>
 <input class="submit" type="submit" name="action" value="Start" <% if data.value.status.value== "Running" then io.write("disabled") end %>>
@@ -23,9 +23,9 @@
 <DT>Previous action result</DT>
 <DD>
 <% if data.value.result.value ~= "" then %>
-<P CLASS='descr'><%= string.gsub(data.value.result.value, "\n", "<BR>") %></P>
+<P CLASS='descr'><%= string.gsub(html.html_escape(data.value.result.value), "\n", "<BR>") %></P>
 <% end if data.value.result.errtxt then %>
-<P CLASS='error'><%= string.gsub(data.value.result.errtxt, "\n", "<BR>") %></P>
+<P CLASS='error'><%= string.gsub(html.html_escape(data.value.result.errtxt), "\n", "<BR>") %></P>
 <% end end %>
 </DD>
 </DL>
-- 
cgit v1.2.3