From 72a3e69b5f4adafea8905e60213371ab1b2fc019 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/ipsec-tools/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 ipsectools-details-html.lsp    | 8 ++++----
 ipsectools-listcerts-html.lsp  | 4 ++--
 ipsectools-uploadcert-html.lsp | 2 +-
 ipsectools-viewcert-html.lsp   | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipsectools-details-html.lsp b/ipsectools-details-html.lsp
index b16da64..c5cdb5c 100644
--- a/ipsectools-details-html.lsp
+++ b/ipsectools-details-html.lsp
@@ -9,7 +9,7 @@ io.write("</span>")
 
 <% viewlibrary.dispatch_component("status") %>
 
-<H2><%= data.label %></H2>
+<H2><%= html.html_escape(data.label) %></H2>
 <DL>
 <%
 if not data.value.show_isakmp or #data.value.show_isakmp.value == 0 then
@@ -23,13 +23,13 @@ else
 			else
 				io.write("idle")
 			end
-			io.write(".png' width='16' height='16'> ".. entry.Destination.value .. "</H3>")
+			io.write(".png' width='16' height='16'> ".. html.html_escape(entry.Destination.value) .. "</H3>")
 			io.write("<TABLE>\n")
 			local tags = {"Created","Source","Destination", "St", "Phase2details"}
 			for j,tag in pairs(tags) do
 				io.write("<TR><TD STYLE='font-weight:bold;width:120px;border:none;'>" .. 
-					(entry[tag].label or "") .. "</TD><TD STYLE='border:none;'>"..(entry[tag].value or ""))
-				if (entry[tag].descr) and (#entry[tag].descr > 0) then io.write(" (".. entry[tag].descr .. ")") end
+					html.html_escape(entry[tag].label) .. "</TD><TD STYLE='border:none;'>"..html.html_escape(entry[tag].value))
+				if (entry[tag].descr) and (#entry[tag].descr > 0) then io.write(" (".. html.html_escape(entry[tag].descr) .. ")") end
 				io.write("</TD></TR>")
 			end
 			io.write("</TABLE>")
diff --git a/ipsectools-listcerts-html.lsp b/ipsectools-listcerts-html.lsp
index 90f8849..d2f3c69 100644
--- a/ipsectools-listcerts-html.lsp
+++ b/ipsectools-listcerts-html.lsp
@@ -4,7 +4,7 @@
 <% displaycommandresults({"deletecert"}, session) %>
 <% displaycommandresults({"uploadcert"}, session, true) %>
 
-<H1><%= view.label %></H1>
+<H1><%= html.html_escape(view.label) %></H1>
 
 <DL>
 <TABLE>
@@ -20,7 +20,7 @@
 		<%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/viewcert?cert="..cert.."&redir="..page_info.orig_action, label="View "} %>
 		<% end %>
 		</TD>
-		<TD style="white-space:nowrap;"><%= cert %></TD>
+		<TD style="white-space:nowrap;"><%= html.html_escape(cert) %></TD>
 	</TR>
 <% end %>
 </TABLE>
diff --git a/ipsectools-uploadcert-html.lsp b/ipsectools-uploadcert-html.lsp
index a3e88ba..02ed7a0 100644
--- a/ipsectools-uploadcert-html.lsp
+++ b/ipsectools-uploadcert-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	-- This is a kludge to get file upload working
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action .. '" enctype="multipart/form-data'
diff --git a/ipsectools-viewcert-html.lsp b/ipsectools-viewcert-html.lsp
index d23cb53..1acb166 100644
--- a/ipsectools-viewcert-html.lsp
+++ b/ipsectools-viewcert-html.lsp
@@ -5,4 +5,4 @@ io.write(html.cfe_unpack(view))
 --]] %>
 
 <H1>Certificate Details</H1>
-<pre><%= view.value.value %></pre>
+<pre><%= html.html_escape(view.value.value) %></pre>
-- 
cgit v1.2.3