From ce796fb65dd1ae945cc5cfd897691b8ca774ff9c Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/openvpn/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 openvpn-viewconfig-html.lsp | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

(limited to 'openvpn-viewconfig-html.lsp')

diff --git a/openvpn-viewconfig-html.lsp b/openvpn-viewconfig-html.lsp
index 1cdfa8d..c70f191 100644
--- a/openvpn-viewconfig-html.lsp
+++ b/openvpn-viewconfig-html.lsp
@@ -2,48 +2,48 @@
 <% require("format") %>
 <% local shortname = string.gsub(view.value.name, "^.*/", "") %>
 
-<h1><%= format.cap_begin_word(view.value.type) %> config '<%= shortname %>'</h1>
+<h1><%= html.html_escape(format.cap_begin_word(view.value.type)) %> config '<%= html.html_escape(shortname) %>'</h1>
 
-<h2><%= format.cap_begin_word(view.value.type) %> settings</h2>
+<h2><%= html.html_escape(format.cap_begin_word(view.value.type)) %> settings</h2>
 <dl>
 <dt>Mode</dt>
-<dd><%= view.value.type %></dd>
+<dd><%= html.html_escape(view.value.type) %></dd>
 
 <dt>User device</dt>
-<dd><%= view.value.dev %></dd>
+<dd><%= html.html_escape(view.value.dev) %></dd>
 
 <% if view.value.type == "server" then %>
 <dt>Listens on</dt>
-<dd><%= view.value["local"] %>:<%= view.value.port %> (<%= view.value.proto %>)</dd>
+<dd><%= html.html_escape(view.value["local"]) %>:<%= html.html_escape(view.value.port) %> (<%= html.html_escape(view.value.proto) %>)</dd>
 <% end %>
 
 <% if view.value.type == "client" then %>
 <dt>Remote server</dt>
-<dd><% if string.find(view.value.remote, "%s") then io.write((string.gsub(view.value.remote, "%s+", ":"))) else io.write(view.value.remote .. (view.value.rport or view.value.port or "1194")) end %> (<%= view.value.proto %>)</dd>
+<dd><% if string.find(view.value.remote, "%s") then io.write(html.html_escape(string.gsub(view.value.remote, "%s+", ":"))) else io.write(html.html_escape(view.value.remote .. (view.value.rport or view.value.port or "1194"))) end %> (<%= html.html_escape(view.value.proto) %>)</dd>
 <% end %>
 
 <dt>Logfile</dt>
-<dd><% if ( view.value.log ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/logfile?name=" .. view.value.name, label=view.value.log } %><% else %>Syslog<% end %> (Verbosity level: <%= view.value.verb %>)</dd>
+<dd><% if ( view.value.log ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/logfile?name=" .. view.value.name, label=view.value.log } %><% else %>Syslog<% end %> (Verbosity level: <%= html.html_escape(view.value.verb) %>)</dd>
 </dl>
 
 <% if view.value.type == "server" then %>
 <h3>Connected clients status</h3>
 <dl>
 <dt>Last status was recorded</dt>
-<dd><%= view.value.client_lastupdate %> (This was <b><%= view.value.client_lastdatechangediff %></b> ago)</dd>
+<dd><%= html.html_escape(view.value.client_lastupdate) %> (This was <b><%= html.html_escape(view.value.client_lastdatechangediff) %></b> ago)</dd>
 
 <dt>Maximum clients</dt>
-<dd><%= view.value["max-clients"] %></dd>
+<dd><%= html.html_escape(view.value["max-clients"]) %></dd>
 
 <dt>Connected clients</dt>
-<dd><% if ( view.value.client_count > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. view.value.name  , label=view.value.client_count } %><% else %><%= view.value.client_count %><% end %></dd>
+<dd><% if ( view.value.client_count > 0 ) then %><%= html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/status_info?name=" .. view.value.name  , label=view.value.client_count } %><% else %><%= html.html_escape(view.value.client_count) %><% end %></dd>
 </dl>
 <% end %>
 
 <h2>Startup options</h2>
 <dl>
 <dt>Process status</dt>
-<dd><%= view.value.status_isrunning %></dd>
+<dd><%= html.html_escape(view.value.status_isrunning) %></dd>
 </dl>
 
 <% if view.value.dh or view.value.ca or view.value.cert or view.value.key or view.value.tls or view.value.crl then %>
@@ -51,32 +51,32 @@
 <dl>
 <% if (view.value.dh) then %>
 <dt>DH</dt>
-<dd><%= view.value.dh %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.dh  , label=view.value.dh } %></dd>
+<dd><%= html.html_escape(view.value.dh) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.dh  , label=view.value.dh } %></dd>
 <% end %>
 
 <% if (view.value.ca) then %>
 <dt>CA Certificate</dt>
-<dd><%= view.value.ca %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.ca  , label=view.value.ca } %></dd>
+<dd><%= html.html_escape(view.value.ca) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.ca  , label=view.value.ca } %></dd>
 <% end %>
 
 <% if (view.value.cert) then %>
 <dt>Certificate</dt>
-<dd><%= view.value.cert %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.cert  , label=view.value.cert } %></dd>
+<dd><%= html.html_escape(view.value.cert) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.cert  , label=view.value.cert } %></dd>
 <% end %>
 
 <% if (view.value.key) then %>
 <dt>Private Key</dt>
-<dd><%= view.value.key %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.key  , label=view.value.key } %></dd>
+<dd><%= html.html_escape(view.value.key) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.key  , label=view.value.key } %></dd>
 <% end %>
 
 <% if (view.value.tls) then %>
 <dt>TLS Authentication</dt>
-<dd><%= view.value.tls %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.tls  , label=view.value.tls } %></dd>
+<dd><%= html.html_escape(view.value.tls) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.tls  , label=view.value.tls } %></dd>
 <% end %>
 
 <% if (view.value.crl) then %>
 <dt>CRL Verify File</dt>
-<dd><%= view.value.crl %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.crl  , label=view.value.crl } %></dd>
+<dd><%= html.html_escape(view.value.crl) %><% -- html.link{value = page_info.script .. page_info.prefix .. page_info.controller .. "/pem_info?name=" .. view.value.crl  , label=view.value.crl } %></dd>
 <% end %>
 </dl>
 <% end %>
-- 
cgit v1.2.3