9 files changed, 24 insertions, 24 deletions

diff --git a/openssl-checkenvironment-html.lsp b/openssl-checkenvironment-html.lsp
index 3fca9f0..cddd596 100644
--- a/openssl-checkenvironment-html.lsp
+++ b/openssl-checkenvironment-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <DL>
 <% displayitem(form.value.status) %>
 </DL>
diff --git a/openssl-editdefaults-html.lsp b/openssl-editdefaults-html.lsp
index 2962877..9a43346 100644
--- a/openssl-editdefaults-html.lsp
+++ b/openssl-editdefaults-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
diff --git a/openssl-generatecacert-html.lsp b/openssl-generatecacert-html.lsp
index a4ebdd3..36f3a6b 100644
--- a/openssl-generatecacert-html.lsp
+++ b/openssl-generatecacert-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	local order = { "countryName", "C", "stateOrProvinceName", "ST", "localityName", "L", "organizationName", "O",
diff --git a/openssl-html.lsp b/openssl-html.lsp
index 4258171..bd2ed7e 100644
--- a/openssl-html.lsp
+++ b/openssl-html.lsp
@@ -18,7 +18,7 @@ io.write(html.cfe_unpack(view))
 
 <% displaycommandresults({"approve", "deleterequest", "deletemyrequest", "renewcert", "requestrenewcert", "revoke", "deletecert"}, session) %>
 
-<H1>Pending certificate requests<% if view.value.user then%> for <%= view.value.user.value %><% end %></H1>
+<H1>Pending certificate requests<% if view.value.user then%> for <%= html.html_escape(view.value.user.value) %><% end %></H1>
 <% if not view.value.pending or #view.value.pending.value == 0 then %>
 	No certificates pending
 <% else %>
@@ -47,9 +47,9 @@ io.write(html.cfe_unpack(view))
 			io.write(html.link{value="deletemyrequest?request="..request.name, label="Delete "})
 		end %>
 		</td>
-		<td><%= request.user %></td>
-		<td><%= request.certtype %></td>
-		<td><%= request.commonName %></td>
+		<td><%= html.html_escape(request.user) %></td>
+		<td><%= html.html_escape(request.certtype) %></td>
+		<td><%= html.html_escape(request.commonName) %></td>
 		</tr>
 	<% end %>
 </tbody>
@@ -74,7 +74,7 @@ else
 	approved = view.value.approved.value
 end %>
 	
-<H1>Approved certificate requests<% if view.value.user then%> for <%= view.value.user.value %><% end %></H1>
+<H1>Approved certificate requests<% if view.value.user then%> for <%= html.html_escape(view.value.user.value) %><% end %></H1>
 <% if #approved == 0 then %>
 	No certificates approved
 <% else %>
@@ -111,18 +111,18 @@ end %>
 			<%= html.link{value="deletecert?cert="..cert.name, label="Delete "} %>
 		<% end %>
 		</td>
-		<td><%= cert.user %></td>
-		<td><%= cert.certtype %></td>
-		<td><%= cert.commonName %></td>
-		<td><%= tostring(tonumber('0x'..cert.serial)) %></td>
-		<td><%= cert.enddate %></td>
+		<td><%= html.html_escape(cert.user) %></td>
+		<td><%= html.html_escape(cert.certtype) %></td>
+		<td><%= html.html_escape(cert.commonName) %></td>
+		<td><%= html.html_escape(tostring(tonumber('0x'..cert.serial))) %></td>
+		<td><%= html.html_escape(cert.enddate) %></td>
 		</tr>
 	<% end %>
 <tbody>
 </table>
 <% end %>
 
-<H1>Revoked certificates<% if view.value.user then%> for <%= view.value.user.value %><% end %></H1>
+<H1>Revoked certificates<% if view.value.user then%> for <%= html.html_escape(view.value.user.value) %><% end %></H1>
 <% if #revoked == 0 then %>
 	No certificates revoked
 <% else %>
@@ -150,10 +150,10 @@ end %>
 			<%= html.link{value="deletecert?cert="..cert.name, label="Delete "} %>
 		<% end %>
 		</td>
-		<td><%= cert.user %></td>
-		<td><%= cert.certtype %></td>
-		<td><%= cert.commonName %></td>
-		<td><%= tostring(tonumber('0x'..cert.serial)) %></td>
+		<td><%= html.html_escape(cert.user) %></td>
+		<td><%= html.html_escape(cert.certtype) %></td>
+		<td><%= html.html_escape(cert.commonName) %></td>
+		<td><%= html.html_escape(tostring(tonumber('0x'..cert.serial))) %></td>
 		</tr>
 	<% end %>
 </tbody>
diff --git a/openssl-putcacert-html.lsp b/openssl-putcacert-html.lsp
index 35bd34a..acb8677 100644
--- a/openssl-putcacert-html.lsp
+++ b/openssl-putcacert-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	-- This is a kludge to get file upload working
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action .. '" enctype="multipart/form-data'
diff --git a/openssl-request-html.lsp b/openssl-request-html.lsp
index b2b6495..6e2f77c 100644
--- a/openssl-request-html.lsp
+++ b/openssl-request-html.lsp
@@ -5,7 +5,7 @@
 io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	form.value.password.type = "password"
diff --git a/openssl-status-html.lsp b/openssl-status-html.lsp
index b1b59ea..68623da 100644
--- a/openssl-status-html.lsp
+++ b/openssl-status-html.lsp
@@ -11,7 +11,7 @@ io.write(html.cfe_unpack(view))
 <DL>
 <% displayitem(view.value.version) %>
 <% if view.value.version and view.value.version.errtxt and session.permissions.apk and session.permissions.apk.install then %>
-	<a href="<%= page_info.script .. "/apk-tools/apk/install?package="..view.value.version.name %>">Install</a>
+	<a href="<%= html.html_escape(page_info.script .. "/apk-tools/apk/install?package="..view.value.version.name) %>">Install</a>
 <% end %>
 <% displayitem(view.value.conffile) %>
 <% displayitem(view.value.environment) %>
@@ -26,7 +26,7 @@ io.write(html.cfe_unpack(view))
 		end
 	elseif not view.value.cacert.errtxt and not view.value.cakey.errtxt then %>
 <H1>CA Certificate contents</H1>
-<pre><%= view.value.cacertcontents.value %></pre>
+<pre><%= html.html_escape(view.value.cacertcontents.value) %></pre>
 	<% elseif viewlibrary and viewlibrary.dispatch_component then
 		if session.permissions.openssl.putcacert then
 			viewlibrary.dispatch_component("putcacert")
diff --git a/openssl-viewcert-html.lsp b/openssl-viewcert-html.lsp
index d23cb53..1acb166 100644
--- a/openssl-viewcert-html.lsp
+++ b/openssl-viewcert-html.lsp
@@ -5,4 +5,4 @@ io.write(html.cfe_unpack(view))
 --]] %>
 
 <H1>Certificate Details</H1>
-<pre><%= view.value.value %></pre>
+<pre><%= html.html_escape(view.value.value) %></pre>
diff --git a/openssl-viewrequest-html.lsp b/openssl-viewrequest-html.lsp
index 30c5c05..7e42a42 100644
--- a/openssl-viewrequest-html.lsp
+++ b/openssl-viewrequest-html.lsp
@@ -5,4 +5,4 @@ io.write(html.cfe_unpack(view))
 --]] %>
 
 <H1>Request Details</H1>
-<pre><%= view.value.value %></pre>
+<pre><%= html.html_escape(view.value.value) %></pre>