From afcd120c1c5b8d839820259c9d8b488e994fcffe Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/openssl/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 openssl-html.lsp | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

(limited to 'openssl-html.lsp')

diff --git a/openssl-html.lsp b/openssl-html.lsp
index 4258171..bd2ed7e 100644
--- a/openssl-html.lsp
+++ b/openssl-html.lsp
@@ -18,7 +18,7 @@ io.write(html.cfe_unpack(view))
 
 <% displaycommandresults({"approve", "deleterequest", "deletemyrequest", "renewcert", "requestrenewcert", "revoke", "deletecert"}, session) %>
 
-<H1>Pending certificate requests<% if view.value.user then%> for <%= view.value.user.value %><% end %></H1>
+<H1>Pending certificate requests<% if view.value.user then%> for <%= html.html_escape(view.value.user.value) %><% end %></H1>
 <% if not view.value.pending or #view.value.pending.value == 0 then %>
 	No certificates pending
 <% else %>
@@ -47,9 +47,9 @@ io.write(html.cfe_unpack(view))
 			io.write(html.link{value="deletemyrequest?request="..request.name, label="Delete "})
 		end %>
 		</td>
-		<td><%= request.user %></td>
-		<td><%= request.certtype %></td>
-		<td><%= request.commonName %></td>
+		<td><%= html.html_escape(request.user) %></td>
+		<td><%= html.html_escape(request.certtype) %></td>
+		<td><%= html.html_escape(request.commonName) %></td>
 		</tr>
 	<% end %>
 </tbody>
@@ -74,7 +74,7 @@ else
 	approved = view.value.approved.value
 end %>
 	
-<H1>Approved certificate requests<% if view.value.user then%> for <%= view.value.user.value %><% end %></H1>
+<H1>Approved certificate requests<% if view.value.user then%> for <%= html.html_escape(view.value.user.value) %><% end %></H1>
 <% if #approved == 0 then %>
 	No certificates approved
 <% else %>
@@ -111,18 +111,18 @@ end %>
 			<%= html.link{value="deletecert?cert="..cert.name, label="Delete "} %>
 		<% end %>
 		</td>
-		<td><%= cert.user %></td>
-		<td><%= cert.certtype %></td>
-		<td><%= cert.commonName %></td>
-		<td><%= tostring(tonumber('0x'..cert.serial)) %></td>
-		<td><%= cert.enddate %></td>
+		<td><%= html.html_escape(cert.user) %></td>
+		<td><%= html.html_escape(cert.certtype) %></td>
+		<td><%= html.html_escape(cert.commonName) %></td>
+		<td><%= html.html_escape(tostring(tonumber('0x'..cert.serial))) %></td>
+		<td><%= html.html_escape(cert.enddate) %></td>
 		</tr>
 	<% end %>
 <tbody>
 </table>
 <% end %>
 
-<H1>Revoked certificates<% if view.value.user then%> for <%= view.value.user.value %><% end %></H1>
+<H1>Revoked certificates<% if view.value.user then%> for <%= html.html_escape(view.value.user.value) %><% end %></H1>
 <% if #revoked == 0 then %>
 	No certificates revoked
 <% else %>
@@ -150,10 +150,10 @@ end %>
 			<%= html.link{value="deletecert?cert="..cert.name, label="Delete "} %>
 		<% end %>
 		</td>
-		<td><%= cert.user %></td>
-		<td><%= cert.certtype %></td>
-		<td><%= cert.commonName %></td>
-		<td><%= tostring(tonumber('0x'..cert.serial)) %></td>
+		<td><%= html.html_escape(cert.user) %></td>
+		<td><%= html.html_escape(cert.certtype) %></td>
+		<td><%= html.html_escape(cert.commonName) %></td>
+		<td><%= html.html_escape(tostring(tonumber('0x'..cert.serial))) %></td>
 		</tr>
 	<% end %>
 </tbody>
-- 
cgit v1.2.3