diff options
| -rwxr-xr-x | tinydns-config-html.lsp | 2 | ||||
| -rw-r--r-- | tinydns-edit-html.lsp | 18 | ||||
| -rw-r--r-- | tinydns-html.lsp | 2 | ||||
| -rw-r--r-- | tinydns-listfiles-html.lsp | 6 | ||||
| -rw-r--r-- | tinydns-listpermissions-html.lsp | 6 | ||||
| -rw-r--r-- | tinydns-status-html.lsp | 4 | ||||
| -rw-r--r-- | tinydns-view-html.lsp | 26 |
7 files changed, 32 insertions, 32 deletions
diff --git a/tinydns-config-html.lsp b/tinydns-config-html.lsp index 1193b65..9f10a4c 100755 --- a/tinydns-config-html.lsp +++ b/tinydns-config-html.lsp @@ -15,7 +15,7 @@ io.write("</span>") viewlibrary.dispatch_component("status") end %> -<h1><%= form.label %></h1> +<h1><%= html.html_escape(form.label) %></h1> <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action displayform(form) diff --git a/tinydns-edit-html.lsp b/tinydns-edit-html.lsp index f8d8dbb..785589a 100644 --- a/tinydns-edit-html.lsp +++ b/tinydns-edit-html.lsp @@ -35,9 +35,9 @@ var entrytext = entry.find("select").val() + entry.find("input:not(.submit)").map(function(){ if (this.name == "fixme") { if ($(this).val() != "") - return $(this).val() + ".<%= domain %>"; + return $(this).val() + ".<%= html.html_escape(domain) %>"; else - return "<%= domain %>"; + return "<%= html.html_escape(domain) %>"; } else { return $(this).val(); } @@ -70,11 +70,11 @@ for (i=0; i<entryType.num; i++){ if (entries[i] === null) { entries[i] = ""; } if (entryType.descriptions[i] == "Domain" || entryType.descriptions[i] == "Alias" || entryType.descriptions[i] == "Host" ) - form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(domain, "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= domain %></dd>'; + form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(html.html_escape(domain), "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= html.html_escape(domain) %></dd>'; else form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i] + '"></dd>'; } - form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= form.option %>"></DD>'; + form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= html.html_escape(form.option) %>"></DD>'; form = form + "\n</dl>"; entry.empty().append(form); entry.find("select").change(function(){ @@ -83,7 +83,7 @@ createForm(entry); }); entry.find("input.submit").click(function() { - $("input[name='<%= form.option %>']").click(); + $("input[name='<%= html.html_escape(form.option) %>']").click(); }); } function editLine(){ @@ -157,8 +157,8 @@ displayitem(form.value.mtime) </DL> <H3>File Entries</H3> -<% if form.descr then %><P CLASS='descr'><%= string.gsub(form.descr, "\n", "<BR>") %></P><% end %> -<% if form.errtxt then %><P CLASS='error'><%= string.gsub(form.errtxt, "\n", "<BR>") %></P><% end %> +<% if form.descr then %><P CLASS='descr'><%= string.gsub(html.html_escape(form.descr), "\n", "<BR>") %></P><% end %> +<% if form.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.errtxt), "\n", "<BR>") %></P><% end %> <TABLE id="entries"> <% for line in string.gmatch(html.html_escape(form.value.filecontent.value).."\n", "([^\n]*)\n") do %> <TR> @@ -166,11 +166,11 @@ displayitem(form.value.mtime) </TR> <% end %> </TABLE> -<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") %></P><% end %> +<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "<BR>") %></P><% end %> <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %> <% displayformstart(form) %> -<input type="hidden" name="filename" value="<%= form.value.filename.value %>"> +<input type="hidden" name="filename" value="<%= html.html_escape(form.value.filename.value) %>"> <input type="hidden" name="filecontent" value="<%= html.html_escape(form.value.filecontent.value) %>"> <H2>Save and Apply Above Settings</H2> <% displayformend(form) %> diff --git a/tinydns-html.lsp b/tinydns-html.lsp index abe7bf1..a135d3b 100644 --- a/tinydns-html.lsp +++ b/tinydns-html.lsp @@ -2,7 +2,7 @@ require("viewfunctions") %> -<H1><%= form.label %></H1> +<H1><%= html.html_escape(form.label) %></H1> <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action if form.value.userid then form.value.userid.readonly = true end diff --git a/tinydns-listfiles-html.lsp b/tinydns-listfiles-html.lsp index 4286122..14f8419 100644 --- a/tinydns-listfiles-html.lsp +++ b/tinydns-listfiles-html.lsp @@ -31,9 +31,9 @@ io.write("</span>") if session.permissions[page_info.controller].editfile then io.write(html.link{value = "editfile?filename=" .. file.value.filename.value.."&redir="..page_info.orig_action, label="Expert " }) end %> </TD> - <TD style="padding-right:20px;white-space:nowrap;text-align:right;"><%= file.value.filesize.value %></TD> - <TD style="padding-right:20px;white-space:nowrap;"><%= file.value.mtime.value %></TD> - <TD style="white-space:nowrap;" width="90%"><%= string.gsub(file.value.filename.value, "^.*/", "") %></TD> + <TD style="padding-right:20px;white-space:nowrap;text-align:right;"><%= html.html_escape(file.value.filesize.value) %></TD> + <TD style="padding-right:20px;white-space:nowrap;"><%= html.html_escape(file.value.mtime.value) %></TD> + <TD style="white-space:nowrap;" width="90%"><%= html.html_escape(string.gsub(file.value.filename.value, "^.*/", "")) %></TD> </TR> <% end %> </TABLE> diff --git a/tinydns-listpermissions-html.lsp b/tinydns-listpermissions-html.lsp index fc80db9..55d09b5 100644 --- a/tinydns-listpermissions-html.lsp +++ b/tinydns-listpermissions-html.lsp @@ -6,7 +6,7 @@ <% displaycommandresults({"edituserpermisisons", "editrolepermissions"}, session) %> -<H1><%= view.label %></H1> +<H1><%= html.html_escape(view.label) %></H1> <H2>User Permissions</H2> <TABLE> @@ -14,7 +14,7 @@ <% for i,user in ipairs(view.value.user) do %> <TR><TD><%= html.link{value=page_info.script .. page_info.prefix .. page_info.controller .. "/edituserpermissions?userid=" .. user.id .. "&redir="..page_info.orig_action, label=user.id} %></TD><TD> <% for y,allowed in pairs(user.allowed) do - print(allowed, "<BR>") + print(html.html_escape(allowed), "<BR>") end %> <TD></TR> <% end %> @@ -26,7 +26,7 @@ <% for i,role in ipairs(view.value.role) do %> <TR><TD><%= html.link{value=page_info.script .. page_info.prefix .. page_info.controller .. "/editrolepermissions?role=" .. role.id .. "&redir="..page_info.orig_action, label=role.id} %></TD><TD> <% for y,allowed in pairs(role.allowed) do - print(allowed, "<BR>") + print(html.html_escape(allowed), "<BR>") end %> <TD></TR> <% end %> diff --git a/tinydns-status-html.lsp b/tinydns-status-html.lsp index 5eafebd..efe77b8 100644 --- a/tinydns-status-html.lsp +++ b/tinydns-status-html.lsp @@ -12,14 +12,14 @@ displayitem(data.value.status) displayitem(data.value.version) if data.value.version and data.value.version.errtxt and session.permissions.apk and session.permissions.apk.install then %> - <a href="<%= page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name %>">Install</a> + <a href="<%= html.html_escape(page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name) %>">Install</a> <% end displayitem(data.value.autostart) if not (data.value.version and data.value.version.errtxt) and data.value.autostart and data.value.autostart.errtxt and session.permissions.rc and session.permissions.rc.edit then %> - <a href="<%= page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action %>">Schedule autostart</a> + <a href="<%= html.html_escape(page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action) %>">Schedule autostart</a> <% end diff --git a/tinydns-view-html.lsp b/tinydns-view-html.lsp index b163ce5..35052ab 100644 --- a/tinydns-view-html.lsp +++ b/tinydns-view-html.lsp @@ -51,7 +51,7 @@ io.write("</span>") %> <H1>DNS Entries -<% if view.filename then io.write(" for "..string.gsub(view.filename, "^.*/", "")) end %> +<% if view.filename then io.write(" for "..html.html_escape(string.gsub(view.filename, "^.*/", ""))) end %> </H1> <H2>Locations</H2> <DL id="locations"> @@ -63,13 +63,13 @@ for i,loc in ipairs(view.value) do if currentloc ~= "" then %> </ul> <% end %> - <li><IMG SRC='/skins/static/tango/16x16/places/start-here.png' width='16' height='16' alt> <B><%= loc[1] %></B></li> + <li><IMG SRC='/skins/static/tango/16x16/places/start-here.png' width='16' height='16' alt> <B><%= html.html_escape(loc[1]) %></B></li> <ul STYLE='margin-left:30px';> <% end currentloc = loc[1] %> - <li id='filename=<%= loc.filename %>;linenumber=<%= loc.linenumber %>'> - <%= loc[2] %><% if loc[2] == "" then io.write('*') end %> - <% if (loc.errtxt) then %><P CLASS='error'><%= string.gsub(loc.errtxt, "\n", "<BR>") %></P><% end %> + <li id='filename=<%= html.html_escape(loc.filename) %>;linenumber=<%= html.html_escape(loc.linenumber) %>'> + <%= html.html_escape(loc[2]) %><% if loc[2] == "" then io.write('*') end %> + <% if (loc.errtxt) then %><P CLASS='error'><%= string.gsub(html.html_escape(loc.errtxt), "\n", "<BR>") %></P><% end %> </li> <% end end %> @@ -102,7 +102,7 @@ local function doListIndents(next, indent) end for j=1,starting do io.write("<ul><li STYLE='margin-left:10px;'><strong>") - io.write(table.concat(newentry, ".", #newentry-(i+j-2), #newentry)) + io.write(html.html_escape(table.concat(newentry, ".", #newentry-(i+j-2), #newentry))) io.write("</strong>\n") end return revnewentry @@ -117,20 +117,20 @@ end for j,entry in ipairs(view.value) do if entry.type ~= '%' then indent = doListIndents(entry[1], indent) %> - <ul><li STYLE='margin-left:10px;' id='filename=<%= entry.filename %>;linenumber=<%= entry.linenumber %>'> - <IMG SRC='/skins/static/tango/16x16/devices/computer.png' width='16' height='16'><%= entry.label %><BR> - <pre><%= entry.configline %></pre> - <TABLE STYLE='margin-left:<%= tostring(7-#indent) %>0px;'> + <ul><li STYLE='margin-left:10px;' id='filename=<%= html.html_escape(entry.filename) %>;linenumber=<%= html.html_escape(entry.linenumber) %>'> + <IMG SRC='/skins/static/tango/16x16/devices/computer.png' width='16' height='16'><%= html.html_escape(entry.label) %><BR> + <pre><%= html.html_escape(entry.configline) %></pre> + <TABLE STYLE='margin-left:<%= html.html_escape(tostring(7-#indent)) %>0px;'> <% for k=2,#entry do local option = entry[k] if (option) and option ~= "" then %> - <TR><TD WIDTH='160px' STYLE='border:none;'><%= view.fieldlabels[entry.type][k] %>:</TD> - <TD STYLE='border:none;'><%= option %></TD></TR> + <TR><TD WIDTH='160px' STYLE='border:none;'><%= html.html_escape(view.fieldlabels[entry.type][k]) %>:</TD> + <TD STYLE='border:none;'><%= html.html_escape(option) %></TD></TR> <% end end %> </TABLE> <% if entry.errtxt then %> - <P CLASS='error'><%= string.gsub(entry.errtxt, "\n", "<BR>") %></P> + <P CLASS='error'><%= string.gsub(html.html_escape(entry.errtxt), "\n", "<BR>") %></P> <% end %> </li></ul> <% end |