From ce796fb65dd1ae945cc5cfd897691b8ca774ff9c Mon Sep 17 00:00:00 2001 From: Ted Trask Date: Thu, 15 Jan 2009 21:44:39 +0000 Subject: Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them. git-svn-id: svn://svn.alpinelinux.org/acf/openvpn/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed --- openvpn-listconfigs-html.lsp | 10 +++++----- openvpn-statusinfo-html.lsp | 12 ++++++------ openvpn-viewconfig-html.lsp | 34 +++++++++++++++++----------------- 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/openvpn-listconfigs-html.lsp b/openvpn-listconfigs-html.lsp index 1e67f4b..498e52f 100644 --- a/openvpn-listconfigs-html.lsp +++ b/openvpn-listconfigs-html.lsp @@ -29,13 +29,13 @@ end %> <%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/deleteconfig?name=" .. config.name.."&redir="..page_info.orig_action, label="Delete " } %> <% end %> - <%= string.gsub(config.name, "^.*/", "") %> - ><%= config.type %> - <%= config.status %> - <% if ( config.type == "server" ) then %><% if ( config.clients > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. config.name, label = config.clients } %><% else %><%= config.clients %><% end %><% end %> + <%= html.html_escape(string.gsub(config.name, "^.*/", "")) %> + ><%= html.html_escape(config.type) %> + <%= html.html_escape(config.status) %> + <% if ( config.type == "server" ) then %><% if ( config.clients > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. config.name, label = config.clients } %><% else %><%= html.html_escape(config.clients) %><% end %><% end %> <% if config.errtxt then %> - <%= config.errtxt %> + <%= html.html_escape(config.errtxt) %> <% end %> <% end %> diff --git a/openvpn-statusinfo-html.lsp b/openvpn-statusinfo-html.lsp index e6f85b5..e68ca0c 100644 --- a/openvpn-statusinfo-html.lsp +++ b/openvpn-statusinfo-html.lsp @@ -13,14 +13,14 @@ <% for i in ipairs(view.value) do %> - <%= view.value[i].CN %> - <%= view.value[i].VIRTADDR %> - <%= view.value[i].REALADDR %> - <%= view.value[i].BYTESRCV %> - <%= view.value[i].BYTESSND %> + <%= html.html_escape(view.value[i].CN) %> + <%= html.html_escape(view.value[i].VIRTADDR) %> + <%= html.html_escape(view.value[i].REALADDR) %> + <%= html.html_escape(view.value[i].BYTESRCV) %> + <%= html.html_escape(view.value[i].BYTESSND) %> - <%= view.value[i].CONN %> + <%= html.html_escape(view.value[i].CONN) %> <% end %> diff --git a/openvpn-viewconfig-html.lsp b/openvpn-viewconfig-html.lsp index 1cdfa8d..c70f191 100644 --- a/openvpn-viewconfig-html.lsp +++ b/openvpn-viewconfig-html.lsp @@ -2,48 +2,48 @@ <% require("format") %> <% local shortname = string.gsub(view.value.name, "^.*/", "") %> -

<%= format.cap_begin_word(view.value.type) %> config '<%= shortname %>'

+

<%= html.html_escape(format.cap_begin_word(view.value.type)) %> config '<%= html.html_escape(shortname) %>'

-

<%= format.cap_begin_word(view.value.type) %> settings

+

<%= html.html_escape(format.cap_begin_word(view.value.type)) %> settings

Mode
-
<%= view.value.type %>
+
<%= html.html_escape(view.value.type) %>
User device
-
<%= view.value.dev %>
+
<%= html.html_escape(view.value.dev) %>
<% if view.value.type == "server" then %>
Listens on
-
<%= view.value["local"] %>:<%= view.value.port %> (<%= view.value.proto %>)
+
<%= html.html_escape(view.value["local"]) %>:<%= html.html_escape(view.value.port) %> (<%= html.html_escape(view.value.proto) %>)
<% end %> <% if view.value.type == "client" then %>
Remote server
-
<% if string.find(view.value.remote, "%s") then io.write((string.gsub(view.value.remote, "%s+", ":"))) else io.write(view.value.remote .. (view.value.rport or view.value.port or "1194")) end %> (<%= view.value.proto %>)
+
<% if string.find(view.value.remote, "%s") then io.write(html.html_escape(string.gsub(view.value.remote, "%s+", ":"))) else io.write(html.html_escape(view.value.remote .. (view.value.rport or view.value.port or "1194"))) end %> (<%= html.html_escape(view.value.proto) %>)
<% end %>
Logfile
-
<% if ( view.value.log ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/logfile?name=" .. view.value.name, label=view.value.log } %><% else %>Syslog<% end %> (Verbosity level: <%= view.value.verb %>)
+
<% if ( view.value.log ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/logfile?name=" .. view.value.name, label=view.value.log } %><% else %>Syslog<% end %> (Verbosity level: <%= html.html_escape(view.value.verb) %>)
<% if view.value.type == "server" then %>

Connected clients status

Last status was recorded
-
<%= view.value.client_lastupdate %> (This was <%= view.value.client_lastdatechangediff %> ago)
+
<%= html.html_escape(view.value.client_lastupdate) %> (This was <%= html.html_escape(view.value.client_lastdatechangediff) %> ago)
Maximum clients
-
<%= view.value["max-clients"] %>
+
<%= html.html_escape(view.value["max-clients"]) %>
Connected clients
-
<% if ( view.value.client_count > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. view.value.name , label=view.value.client_count } %><% else %><%= view.value.client_count %><% end %>
+
<% if ( view.value.client_count > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. view.value.name , label=view.value.client_count } %><% else %><%= html.html_escape(view.value.client_count) %><% end %>
<% end %>

Startup options

Process status
-
<%= view.value.status_isrunning %>
+
<%= html.html_escape(view.value.status_isrunning) %>
<% if view.value.dh or view.value.ca or view.value.cert or view.value.key or view.value.tls or view.value.crl then %> @@ -51,32 +51,32 @@
<% if (view.value.dh) then %>
DH
-
<%= view.value.dh %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.dh , label=view.value.dh } %>
+
<%= html.html_escape(view.value.dh) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.dh , label=view.value.dh } %>
<% end %> <% if (view.value.ca) then %>
CA Certificate
-
<%= view.value.ca %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.ca , label=view.value.ca } %>
+
<%= html.html_escape(view.value.ca) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.ca , label=view.value.ca } %>
<% end %> <% if (view.value.cert) then %>
Certificate
-
<%= view.value.cert %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.cert , label=view.value.cert } %>
+
<%= html.html_escape(view.value.cert) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.cert , label=view.value.cert } %>
<% end %> <% if (view.value.key) then %>
Private Key
-
<%= view.value.key %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.key , label=view.value.key } %>
+
<%= html.html_escape(view.value.key) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.key , label=view.value.key } %>
<% end %> <% if (view.value.tls) then %>
TLS Authentication
-
<%= view.value.tls %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.tls , label=view.value.tls } %>
+
<%= html.html_escape(view.value.tls) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.tls , label=view.value.tls } %>
<% end %> <% if (view.value.crl) then %>
CRL Verify File
-
<%= view.value.crl %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.crl , label=view.value.crl } %>
+
<%= html.html_escape(view.value.crl) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.crl , label=view.value.crl } %>
<% end %>
<% end %> -- cgit v1.2.3