Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/tinydns/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed

1 files changed, 9 insertions, 9 deletions

diff --git a/tinydns-edit-html.lsp b/tinydns-edit-html.lsp
index f8d8dbb..785589a 100644
--- a/tinydns-edit-html.lsp
+++ b/tinydns-edit-html.lsp
@@ -35,9 +35,9 @@
 		var entrytext = entry.find("select").val() + entry.find("input:not(.submit)").map(function(){
 			if (this.name == "fixme") {
 				if ($(this).val() != "")
-					return $(this).val() + ".<%= domain %>";
+					return $(this).val() + ".<%= html.html_escape(domain) %>";
 				else
-					return "<%= domain %>";
+					return "<%= html.html_escape(domain) %>";
 			} else {
 				return $(this).val();
 			}
@@ -70,11 +70,11 @@
 		for (i=0; i<entryType.num; i++){
 			if (entries[i] === null) { entries[i] = ""; }
 			if (entryType.descriptions[i] == "Domain" || entryType.descriptions[i] == "Alias" || entryType.descriptions[i] == "Host" )
-				form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(domain, "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= domain %></dd>';
+				form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(html.html_escape(domain), "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= html.html_escape(domain) %></dd>';
 			else
 				form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i] + '"></dd>';
 		}
-		form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= form.option %>"></DD>';
+		form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= html.html_escape(form.option) %>"></DD>';
 		form = form + "\n</dl>";
 		entry.empty().append(form);
 		entry.find("select").change(function(){
@@ -83,7 +83,7 @@
 			createForm(entry);
 		});
 		entry.find("input.submit").click(function() {
-			$("input[name='<%= form.option %>']").click();
+			$("input[name='<%= html.html_escape(form.option) %>']").click();
 		});
 	}
 	function editLine(){
@@ -157,8 +157,8 @@ displayitem(form.value.mtime)
 </DL>
 
 <H3>File Entries</H3>
-<% if form.descr then %><P CLASS='descr'><%= string.gsub(form.descr, "\n", "<BR>") %></P><% end %>
-<% if form.errtxt then %><P CLASS='error'><%= string.gsub(form.errtxt, "\n", "<BR>") %></P><% end %>
+<% if form.descr then %><P CLASS='descr'><%= string.gsub(html.html_escape(form.descr), "\n", "<BR>") %></P><% end %>
+<% if form.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.errtxt), "\n", "<BR>") %></P><% end %>
 <TABLE id="entries">
 <% for line in string.gmatch(html.html_escape(form.value.filecontent.value).."\n", "([^\n]*)\n") do %>
 	<TR>
@@ -166,11 +166,11 @@ displayitem(form.value.mtime)
 	</TR>
 <% end %>
 </TABLE>
-<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") %></P><% end %>
+<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "<BR>") %></P><% end %>
 
 <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>
 <% displayformstart(form) %>
-<input type="hidden" name="filename" value="<%= form.value.filename.value %>">
+<input type="hidden" name="filename" value="<%= html.html_escape(form.value.filename.value) %>">
 <input type="hidden" name="filecontent" value="<%= html.html_escape(form.value.filecontent.value) %>">
 <H2>Save and Apply Above Settings</H2>
 <% displayformend(form) %>