From ce796fb65dd1ae945cc5cfd897691b8ca774ff9c Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/openvpn/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 openvpn-listconfigs-html.lsp | 10 +++++-----
 openvpn-statusinfo-html.lsp  | 12 ++++++------
 openvpn-viewconfig-html.lsp  | 34 +++++++++++++++++-----------------
 3 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/openvpn-listconfigs-html.lsp b/openvpn-listconfigs-html.lsp
index 1e67f4b..498e52f 100644
--- a/openvpn-listconfigs-html.lsp
+++ b/openvpn-listconfigs-html.lsp
@@ -29,13 +29,13 @@ end %>
 			<%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/deleteconfig?name=" .. config.name.."&redir="..page_info.orig_action, label="Delete " } %>
 		<% end %>
 		</TD>
-		<TD><%= string.gsub(config.name, "^.*/", "") %></TD>
-		<TD <% if config.errtxt then io.write('class="error"') end %>><%= config.type %></TD>
-		<TD><%= config.status %></TD>
-		<TD><% if ( config.type == "server" ) then %><% if ( config.clients > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. config.name, label = config.clients } %><% else %><%= config.clients %><% end %><% end %></TD>
+		<TD><%= html.html_escape(string.gsub(config.name, "^.*/", "")) %></TD>
+		<TD <% if config.errtxt then io.write('class="error"') end %>><%= html.html_escape(config.type) %></TD>
+		<TD><%= html.html_escape(config.status) %></TD>
+		<TD><% if ( config.type == "server" ) then %><% if ( config.clients > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. config.name, label = config.clients } %><% else %><%= html.html_escape(config.clients) %><% end %><% end %></TD>
 	</TR>		
 	<% if config.errtxt then %>
-		<TR class="error"><TD colspan=5><%= config.errtxt %></TD></TR>
+		<TR class="error"><TD colspan=5><%= html.html_escape(config.errtxt) %></TD></TR>
 	<% end %>
 <% end %>
 
diff --git a/openvpn-statusinfo-html.lsp b/openvpn-statusinfo-html.lsp
index e6f85b5..e68ca0c 100644
--- a/openvpn-statusinfo-html.lsp
+++ b/openvpn-statusinfo-html.lsp
@@ -13,14 +13,14 @@
 	</TR>		
 <% for i in ipairs(view.value) do %>
 	<TR>
-		<TD><%= view.value[i].CN %></TD>
-		<TD><%= view.value[i].VIRTADDR %></TD>
-		<TD><%= view.value[i].REALADDR %></TD>
-		<TD><%= view.value[i].BYTESRCV %></TD>
-		<TD><%= view.value[i].BYTESSND %></TD>
+		<TD><%= html.html_escape(view.value[i].CN) %></TD>
+		<TD><%= html.html_escape(view.value[i].VIRTADDR) %></TD>
+		<TD><%= html.html_escape(view.value[i].REALADDR) %></TD>
+		<TD><%= html.html_escape(view.value[i].BYTESRCV) %></TD>
+		<TD><%= html.html_escape(view.value[i].BYTESSND) %></TD>
 	</TR>		
 	<TR>
-		<TD COLSPAN=5 style="border-bottom: 1px solid #ccc;"><%= view.value[i].CONN %></TD>
+		<TD COLSPAN=5 style="border-bottom: 1px solid #ccc;"><%= html.html_escape(view.value[i].CONN) %></TD>
 	</TR>		
 <% end %>
 
diff --git a/openvpn-viewconfig-html.lsp b/openvpn-viewconfig-html.lsp
index 1cdfa8d..c70f191 100644
--- a/openvpn-viewconfig-html.lsp
+++ b/openvpn-viewconfig-html.lsp
@@ -2,48 +2,48 @@
 <% require("format") %>
 <% local shortname = string.gsub(view.value.name, "^.*/", "") %>
 
-<h1><%= format.cap_begin_word(view.value.type) %> config '<%= shortname %>'</h1>
+<h1><%= html.html_escape(format.cap_begin_word(view.value.type)) %> config '<%= html.html_escape(shortname) %>'</h1>
 
-<h2><%= format.cap_begin_word(view.value.type) %> settings</h2>
+<h2><%= html.html_escape(format.cap_begin_word(view.value.type)) %> settings</h2>
 <dl>
 <dt>Mode</dt>
-<dd><%= view.value.type %></dd>
+<dd><%= html.html_escape(view.value.type) %></dd>
 
 <dt>User device</dt>
-<dd><%= view.value.dev %></dd>
+<dd><%= html.html_escape(view.value.dev) %></dd>
 
 <% if view.value.type == "server" then %>
 <dt>Listens on</dt>
-<dd><%= view.value["local"] %>:<%= view.value.port %> (<%= view.value.proto %>)</dd>
+<dd><%= html.html_escape(view.value["local"]) %>:<%= html.html_escape(view.value.port) %> (<%= html.html_escape(view.value.proto) %>)</dd>
 <% end %>
 
 <% if view.value.type == "client" then %>
 <dt>Remote server</dt>
-<dd><% if string.find(view.value.remote, "%s") then io.write((string.gsub(view.value.remote, "%s+", ":"))) else io.write(view.value.remote .. (view.value.rport or view.value.port or "1194")) end %> (<%= view.value.proto %>)</dd>
+<dd><% if string.find(view.value.remote, "%s") then io.write(html.html_escape(string.gsub(view.value.remote, "%s+", ":"))) else io.write(html.html_escape(view.value.remote .. (view.value.rport or view.value.port or "1194"))) end %> (<%= html.html_escape(view.value.proto) %>)</dd>
 <% end %>
 
 <dt>Logfile</dt>
-<dd><% if ( view.value.log ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/logfile?name=" .. view.value.name, label=view.value.log } %><% else %>Syslog<% end %> (Verbosity level: <%= view.value.verb %>)</dd>
+<dd><% if ( view.value.log ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/logfile?name=" .. view.value.name, label=view.value.log } %><% else %>Syslog<% end %> (Verbosity level: <%= html.html_escape(view.value.verb) %>)</dd>
 </dl>
 
 <% if view.value.type == "server" then %>
 <h3>Connected clients status</h3>
 <dl>
 <dt>Last status was recorded</dt>
-<dd><%= view.value.client_lastupdate %> (This was <b><%= view.value.client_lastdatechangediff %></b> ago)</dd>
+<dd><%= html.html_escape(view.value.client_lastupdate) %> (This was <b><%= html.html_escape(view.value.client_lastdatechangediff) %></b> ago)</dd>
 
 <dt>Maximum clients</dt>
-<dd><%= view.value["max-clients"] %></dd>
+<dd><%= html.html_escape(view.value["max-clients"]) %></dd>
 
 <dt>Connected clients</dt>
-<dd><% if ( view.value.client_count > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. view.value.name  , label=view.value.client_count } %><% else %><%= view.value.client_count %><% end %></dd>
+<dd><% if ( view.value.client_count > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. view.value.name  , label=view.value.client_count } %><% else %><%= html.html_escape(view.value.client_count) %><% end %></dd>
 </dl>
 <% end %>
 
 <h2>Startup options</h2>
 <dl>
 <dt>Process status</dt>
-<dd><%= view.value.status_isrunning %></dd>
+<dd><%= html.html_escape(view.value.status_isrunning) %></dd>
 </dl>
 
 <% if view.value.dh or view.value.ca or view.value.cert or view.value.key or view.value.tls or view.value.crl then %>
@@ -51,32 +51,32 @@
 <dl>
 <% if (view.value.dh) then %>
 <dt>DH</dt>
-<dd><%= view.value.dh %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.dh  , label=view.value.dh } %></dd>
+<dd><%= html.html_escape(view.value.dh) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.dh  , label=view.value.dh } %></dd>
 <% end %>
 
 <% if (view.value.ca) then %>
 <dt>CA Certificate</dt>
-<dd><%= view.value.ca %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.ca  , label=view.value.ca } %></dd>
+<dd><%= html.html_escape(view.value.ca) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.ca  , label=view.value.ca } %></dd>
 <% end %>
 
 <% if (view.value.cert) then %>
 <dt>Certificate</dt>
-<dd><%= view.value.cert %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.cert  , label=view.value.cert } %></dd>
+<dd><%= html.html_escape(view.value.cert) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.cert  , label=view.value.cert } %></dd>
 <% end %>
 
 <% if (view.value.key) then %>
 <dt>Private Key</dt>
-<dd><%= view.value.key %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.key  , label=view.value.key } %></dd>
+<dd><%= html.html_escape(view.value.key) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.key  , label=view.value.key } %></dd>
 <% end %>
 
 <% if (view.value.tls) then %>
 <dt>TLS Authentication</dt>
-<dd><%= view.value.tls %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.tls  , label=view.value.tls } %></dd>
+<dd><%= html.html_escape(view.value.tls) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.tls  , label=view.value.tls } %></dd>
 <% end %>
 
 <% if (view.value.crl) then %>
 <dt>CRL Verify File</dt>
-<dd><%= view.value.crl %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.crl  , label=view.value.crl } %></dd>
+<dd><%= html.html_escape(view.value.crl) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.crl  , label=view.value.crl } %></dd>
 <% end %>
 </dl>
 <% end %>
-- 
cgit v1.2.3