diff options
Diffstat (limited to 'tinydns-edit-html.lsp')
| -rw-r--r-- | tinydns-edit-html.lsp | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/tinydns-edit-html.lsp b/tinydns-edit-html.lsp index f8d8dbb..785589a 100644 --- a/tinydns-edit-html.lsp +++ b/tinydns-edit-html.lsp @@ -35,9 +35,9 @@ var entrytext = entry.find("select").val() + entry.find("input:not(.submit)").map(function(){ if (this.name == "fixme") { if ($(this).val() != "") - return $(this).val() + ".<%= domain %>"; + return $(this).val() + ".<%= html.html_escape(domain) %>"; else - return "<%= domain %>"; + return "<%= html.html_escape(domain) %>"; } else { return $(this).val(); } @@ -70,11 +70,11 @@ for (i=0; i<entryType.num; i++){ if (entries[i] === null) { entries[i] = ""; } if (entryType.descriptions[i] == "Domain" || entryType.descriptions[i] == "Alias" || entryType.descriptions[i] == "Host" ) - form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(domain, "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= domain %></dd>'; + form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i].replace(/\.?<%= string.gsub(html.html_escape(domain), "[\\%[%]%.%*%?%+%{%^%$]", "\\%1") %>$/i, "") + '" name="fixme"> . <%= html.html_escape(domain) %></dd>'; else form = form + '<dt>' + entryType.descriptions[i] + '</dt><dd><input type="text" value="' + entries[i] + '"></dd>'; } - form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= form.option %>"></DD>'; + form = form + '\n<DT></DT><DD><input class="submit" type="submit" value="<%= html.html_escape(form.option) %>"></DD>'; form = form + "\n</dl>"; entry.empty().append(form); entry.find("select").change(function(){ @@ -83,7 +83,7 @@ createForm(entry); }); entry.find("input.submit").click(function() { - $("input[name='<%= form.option %>']").click(); + $("input[name='<%= html.html_escape(form.option) %>']").click(); }); } function editLine(){ @@ -157,8 +157,8 @@ displayitem(form.value.mtime) </DL> <H3>File Entries</H3> -<% if form.descr then %><P CLASS='descr'><%= string.gsub(form.descr, "\n", "<BR>") %></P><% end %> -<% if form.errtxt then %><P CLASS='error'><%= string.gsub(form.errtxt, "\n", "<BR>") %></P><% end %> +<% if form.descr then %><P CLASS='descr'><%= string.gsub(html.html_escape(form.descr), "\n", "<BR>") %></P><% end %> +<% if form.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.errtxt), "\n", "<BR>") %></P><% end %> <TABLE id="entries"> <% for line in string.gmatch(html.html_escape(form.value.filecontent.value).."\n", "([^\n]*)\n") do %> <TR> @@ -166,11 +166,11 @@ displayitem(form.value.mtime) </TR> <% end %> </TABLE> -<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") %></P><% end %> +<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "<BR>") %></P><% end %> <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %> <% displayformstart(form) %> -<input type="hidden" name="filename" value="<%= form.value.filename.value %>"> +<input type="hidden" name="filename" value="<%= html.html_escape(form.value.filename.value) %>"> <input type="hidden" name="filecontent" value="<%= html.html_escape(form.value.filecontent.value) %>"> <H2>Save and Apply Above Settings</H2> <% displayformend(form) %> |