From bd93652bba291b8c6a5d6f0753aea1a5241f9f6a Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/opennhrp/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 opennhrp-editinterface-html.lsp  |  2 +-
 opennhrp-listinterfaces-html.lsp |  8 ++++----
 opennhrp-show-html.lsp           | 12 ++++++------
 3 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/opennhrp-editinterface-html.lsp b/opennhrp-editinterface-html.lsp
index 6fa2bec..a9c4d65 100644
--- a/opennhrp-editinterface-html.lsp
+++ b/opennhrp-editinterface-html.lsp
@@ -17,7 +17,7 @@ require("viewfunctions")
 	});
 </script>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.value.interface.readonly = true
 	local option = {"interface", "type", "map"}
diff --git a/opennhrp-listinterfaces-html.lsp b/opennhrp-listinterfaces-html.lsp
index ca3fdb6..7f9181c 100644
--- a/opennhrp-listinterfaces-html.lsp
+++ b/opennhrp-listinterfaces-html.lsp
@@ -4,7 +4,7 @@ require("viewfunctions")
 
 <% displaycommandresults({"editinterface"}, session) %>
 
-<h1><%= view.label %></h1>
+<h1><%= html.html_escape(view.label) %></h1>
 <TABLE>
 	<TR style="background:#eee;font-weight:bold;">
 		<TD style="padding-right:20px;white-space:nowrap;text-align:left;" class="header">Action</TD>
@@ -17,9 +17,9 @@ require("viewfunctions")
 		<TD style="padding-right:20px;white-space:nowrap;">
 		<% io.write(html.link{value = "editinterface?interface="..intf.interface.."&redir="..page_info.orig_action, label="Edit " }) %>
 		</TD>
-		<TD style="padding-right:20px;white-space:nowrap;text-align:right;"><%= intf.interface %></TD>
-		<TD style="padding-right:20px;white-space:nowrap;"><%= intf.type %></TD>
-		<TD style="white-space:nowrap;" width="90%"><P class="error"><%= string.gsub(intf.errtxt or "", "\n", "<BR>") %></P></TD>
+		<TD style="padding-right:20px;white-space:nowrap;text-align:right;"><%= html.html_escape(intf.interface) %></TD>
+		<TD style="padding-right:20px;white-space:nowrap;"><%= html.html_escape(intf.type) %></TD>
+		<TD style="white-space:nowrap;" width="90%"><P class="error"><%= string.gsub(html.html_escape(intf.errtxt), "\n", "<BR>") %></P></TD>
 	</TR>
 <% end %>
 </TABLE>
diff --git a/opennhrp-show-html.lsp b/opennhrp-show-html.lsp
index 79847c4..9b5ac46 100644
--- a/opennhrp-show-html.lsp
+++ b/opennhrp-show-html.lsp
@@ -6,12 +6,12 @@ require("viewfunctions")
 	viewlibrary.dispatch_component("status")
 end %>
 
-<H1><%= data.label %></H1>
+<H1><%= html.html_escape(data.label) %></H1>
 <DL>
 <%
 displayitem(data.value.status)
 %>
-<DT><%= data.value.peers_list.label %></DT>
+<DT><%= html.html_escape(data.value.peers_list.label) %></DT>
 <DD>
 <%
 	local found
@@ -19,7 +19,7 @@ displayitem(data.value.status)
 		found = true
 %>
 		<TABLE STYLE='margin-bottom:10px;'>
-		<TR><TD STYLE='font-weight:bold;border:none;'><IMG SRC='/skins/static/tango/16x16/places/network-server.png' width='16' height='16' alt> <%= intf %></TD><TD STYLE='border:none;'></TD></TR>
+		<TR><TD STYLE='font-weight:bold;border:none;'><IMG SRC='/skins/static/tango/16x16/places/network-server.png' width='16' height='16' alt> <%= html.html_escape(intf) %></TD><TD STYLE='border:none;'></TD></TR>
 <%		for i,entries in ipairs(addresses) do
 			io.write("<TR STYLE='padding-bottom:10px;'><TD WIDTH='150px' STYLE='font-weight:bold;padding-left:20px;border:none;'><IMG SRC='/skins/static/tango/16x16/status/")
 
@@ -36,13 +36,13 @@ displayitem(data.value.status)
 			else
 				io.write("network-error")
 			end
-			io.write(".png' width='16' height='16' title='" .. (entries.Type.descr or "") .. "'> " .. entries["Protocol-Address"].value .. "</TD><TD STYLE='font-weight:bold;border:none;'></TD></TR>\n")
+			io.write(".png' width='16' height='16' title='" .. html.html_escape(entries.Type.descr) .. "'> " .. html.html_escape(entries["Protocol-Address"].value) .. "</TD><TD STYLE='font-weight:bold;border:none;'></TD></TR>\n")
 
     			for j,entry in pairs(entries) do
 				if  j ~= "Protocol-Address" then
-					io.write("<TR><TD STYLE='font-weight:bold;padding-left:40px;border:none;'>"..entry.label.."</TD><TD STYLE='border:none;'>"..entry.value)
+					io.write("<TR><TD STYLE='font-weight:bold;padding-left:40px;border:none;'>"..html.html_escape(entry.label).."</TD><TD STYLE='border:none;'>"..html.html_escape(entry.value))
 					if entry.descr then
-						io.write(" <I>(" .. entry.descr .. ")</I>")
+						io.write(" <I>(" .. html.html_escape(entry.descr) .. ")</I>")
 					end
 					io.write("</TD></TR>\n")
 				end
-- 
cgit v1.2.3


<%= intf %>
<%= html.html_escape(intf) %>
" .. entries["Protocol-Address"].value .. "

"..entry.label.."	"..entry.value) + io.write("
"..html.html_escape(entry.label).."	"..html.html_escape(entry.value)) if entry.descr then - io.write(" (" .. entry.descr .. ")") + io.write(" (" .. html.html_escape(entry.descr) .. ")") end io.write("