From e07adbcd12b29fabd666f25aca694e59f9a5d1f8 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/openssh/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 openssh-listauth-html.lsp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'openssh-listauth-html.lsp')

diff --git a/openssh-listauth-html.lsp b/openssh-listauth-html.lsp
index f54a08a..d93bc8b 100644
--- a/openssh-listauth-html.lsp
+++ b/openssh-listauth-html.lsp
@@ -4,7 +4,7 @@
 <% displaycommandresults({"deleteauth"}, session) %>
 <% displaycommandresults({"addauth"}, session, true) %>
 
-<H1>Authorized Keys for <%= view.value.user.value %></H1>
+<H1>Authorized Keys for <%= html.html_escape(view.value.user.value) %></H1>
 <DL><TABLE>
 	<TR style="background:#eee;font-weight:bold;">
 		<TD style="padding-right:20px;white-space:nowrap;text-align:left;" class="header">Action</TD>
@@ -16,8 +16,8 @@
 		<TD style="padding-right:20px;white-space:nowrap;">
 			<%= html.link{value=page_info.script..page_info.prefix..page_info.controller.."/deleteauth?user="..view.value.user.value.."&auth="..auth.id, label="Delete "} %>
 		</TD>
-		<TD style="padding-right:20px;white-space:nowrap;"><%= auth.id %></TD>
-		<TD style="white-space:nowrap;"><% if #auth.key>32 then io.write(string.sub(auth.key,0,16) .. "  ...  " .. string.sub(auth.key, -16)) else io.write(auth.key) end %></TD>
+		<TD style="padding-right:20px;white-space:nowrap;"><%= html.html_escape(auth.id) %></TD>
+		<TD style="white-space:nowrap;"><% if #auth.key>32 then io.write(html.html_escape(string.sub(auth.key,0,16)) .. "  ...  " .. html.html_escape(string.sub(auth.key, -16))) else io.write(html.html_escape(auth.key)) end %></TD>
 	</TR>
 <% end %>
 </TABLE></DL>
-- 
cgit v1.2.3