From 3c67f77555e636f949588c049c2074c70a1cbe33 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Thu, 15 Jan 2009 21:44:39 +0000
Subject: Modified html.lua and viewlibrary.lua and all html files to
 html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/alpine-baselayout/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 rc-status-html.lsp | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'rc-status-html.lsp')
diff --git a/rc-status-html.lsp b/rc-status-html.lsp
index 3272af0..a234798 100644
--- a/rc-status-html.lsp
+++ b/rc-status-html.lsp
@@ -3,15 +3,15 @@
 
 <% if session.editresult then %>
 	<H1>Command Result</H1>
-	<% if session.editresult.errtxt then io.write('<P CLASS="error">' .. string.gsub(session.editresult.errtxt, "\n", "<BR>") .. "</P>\n") end
-	if session.editresult.descr then io.write('<P CLASS="descr">' .. string.gsub(session.editresult.descr, "\n", "<BR>") .. "</P>\n") end
+	<% if session.editresult.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(session.editresult.errtxt), "\n", "<BR>") .. "</P>\n") end
+	if session.editresult.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(session.editresult.descr), "\n", "<BR>") .. "</P>\n") end
 	for name,val in pairs(session.editresult.value) do
-		if val.errtxt then io.write('<P CLASS="error">' .. string.gsub(val.errtxt, "\n", "<BR>") .. "</P>\n") end
+		if val.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(val.errtxt), "\n", "<BR>") .. "</P>\n") end
 	end
 	session.editresult = nil
 end %>
 
-<H1><%= view.label %></H1>
+<H1><%= html.html_escape(view.label) %></H1>
 <TABLE>
 <TR>
 <% if session.permissions.rc.edit then %>
@@ -28,14 +28,14 @@ for i,item in ipairs(view.value) do %>
 		for name,val in pairs(result.value) do val.name=name end
 		if result.value.kill.value then result.value.kill.checked = "" end
 		if result.value.system.value then result.value.system.checked = "" end %>
-		<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/edit" %>" method="POST">
-		<TD><input class="submit" type="submit" name="<%= result.option %>" value="<%= result.submit or result.option %>"></TD>
-		<TD><%= item.servicename %><%= html.form.hidden(result.value.servicename) %></TD><TD><%= html.form.text(result.value.sequence) %></TD>
+		<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/edit") %>" method="POST">
+		<TD><input class="submit" type="submit" name="<%= html.html_escape(result.option) %>" value="<%= html.html_escape(result.submit or result.option) %>"></TD>
+		<TD><%= html.html_escape(item.servicename) %><%= html.form.hidden(result.value.servicename) %></TD><TD><%= html.form.text(result.value.sequence) %></TD>
 		<TD><%= html.form.checkbox(result.value.kill) %></TD><TD><%= html.form.checkbox(result.value.system) %></TD>
 		</form></TR>
 	<% else %>
-	<TD><%= item.servicename %></TD><TD><%= item.sequence %></TD>
-	<TD><%= item.kill %></TD><TD><%= item.system %></TD></TR>
+	<TD><%= html.html_escape(item.servicename) %></TD><TD><%= html.html_escape(item.sequence) %></TD>
+	<TD><%= html.html_escape(item.kill) %></TD><TD><%= html.html_escape(item.system) %></TD></TR>
 	<% end %>
 <% end %>
 </TABLE>
-- 
cgit v1.2.3


	<%= item.servicename %><%= html.form.hidden(result.value.servicename) %>	<%= html.form.text(result.value.sequence) %>		<%= html.html_escape(item.servicename) %><%= html.form.hidden(result.value.servicename) %>	<%= html.form.text(result.value.sequence) %>	<%= html.form.checkbox(result.value.kill) %>	<%= html.form.checkbox(result.value.system) %>
<%= item.servicename %>	<%= item.sequence %>	<%= item.kill %>	<%= item.system %>
<%= html.html_escape(item.servicename) %>	<%= html.html_escape(item.sequence) %>	<%= html.html_escape(item.kill) %>	<%= html.html_escape(item.system) %>