Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/gnats/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 6 insertions, 6 deletions

diff --git a/gnats-summary-html.lsp b/gnats-summary-html.lsp
index adc6e74..441368a 100644
--- a/gnats-summary-html.lsp
+++ b/gnats-summary-html.lsp
@@ -55,12 +55,12 @@ DL { padding-top: 5px; }
 
 <% for k,v in pairs(form.summary) do %>
 
-  <tr class='<% io.write(string.sub(v.state,1,1)) %>'>
-	<td width='30px'><A HREF='queryresult?pr=<% io.write(v.number) %>' STYLE='font-weight:bold;'><% io.write(v.number  or "") %></A></td>
-	<td width='15px'><% io.write(string.sub(v.state,1,1)  or "") %></td>
-	<td width='80px'><% io.write(v.submit_date or "") %></td>
-	<td width='80px'><% io.write(v.severity or "")%></td>
-	<td style='white-space:normal;word-wrap:break-word'><% io.write(v.synopsis) %></td>
+  <tr class='<%= html.html_escape(string.sub(v.state,1,1)) %>'>
+	<td width='30px'><A HREF='queryresult?pr=<%= html.html_escape(v.number) %>' STYLE='font-weight:bold;'><%= html.html_escape(v.number) %></A></td>
+	<td width='15px'><%= html.html_escape(string.sub(v.state,1,1)) %></td>
+	<td width='80px'><%= html.html_escape(v.submit_date) %></td>
+	<td width='80px'><%= html.html_escape(v.severity) %></td>
+	<td style='white-space:normal;word-wrap:break-word'><%= html.html_escape(v.synopsis) %></td>
   </tr>
 <% end %>