Modified html.lua and viewlibrary.lua and all html files to html_escape variables before displaying them.

git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1678 ab2d0c66-481e-0410-8bed-d214d4d58bed

15 files changed, 62 insertions, 62 deletions

diff --git a/app/acf-util/logon-html.lsp b/app/acf-util/logon-html.lsp
index f6137cf..643ab86 100644
--- a/app/acf-util/logon-html.lsp
+++ b/app/acf-util/logon-html.lsp
@@ -4,7 +4,7 @@
        io.write(html.cfe_unpack(form))
    --]] %>
 
-<h1><%= form.label %></h1>
+<h1><%= html.html_escape(form.label) %></h1>
 <%
 	form.value.password.type = "password"
 	form.value.redir.type = "hidden"
diff --git a/app/acf-util/logon-logout-html.lsp b/app/acf-util/logon-logout-html.lsp
index a658ea9..b7b72f4 100644
--- a/app/acf-util/logon-logout-html.lsp
+++ b/app/acf-util/logon-logout-html.lsp
@@ -3,4 +3,4 @@
 
 <%= html.cfe_unpack(view) %>
 
-<%= view.logout.value %>
+<%= html.html_escape(view.logout.value) %>
diff --git a/app/acf-util/logon-status-html.lsp b/app/acf-util/logon-status-html.lsp
index 5fb70c9..753248f 100644
--- a/app/acf-util/logon-status-html.lsp
+++ b/app/acf-util/logon-status-html.lsp
@@ -4,5 +4,5 @@
 --]] %>
 <h1>User Status </h1>
 <p> Below is your current Session id <p>
-<%= view.value.sessionid.value %>
-<p>You are currently known to the system as <%= view.value.username.value %>.</p>
+<%= html.html_escape(view.value.sessionid.value) %>
+<p>You are currently known to the system as <%= html.html_escape(view.value.username.value) %>.</p>
diff --git a/app/acf-util/password-html.lsp b/app/acf-util/password-html.lsp
index faf8e44..7de8f88 100755
--- a/app/acf-util/password-html.lsp
+++ b/app/acf-util/password-html.lsp
@@ -9,7 +9,7 @@ io.write("</span>")
 --]]
 %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <% 
 	if form.value.password and form.value.password_confirm then
 		form.value.password.type = "password"
diff --git a/app/acf-util/password-status-html.lsp b/app/acf-util/password-status-html.lsp
index d7db4e9..714dfae 100755
--- a/app/acf-util/password-status-html.lsp
+++ b/app/acf-util/password-status-html.lsp
@@ -13,29 +13,29 @@ io.write("</span>")
 <H1>User Accounts</H1>
 <H2>Create new account</H2>
 <form action="<%= page_info.script .. page_info.prefix .. page_info.controller %>/newuser" method="POST">
-<input class="hidden" type="hidden"  name="redir"  value="<%= page_info.orig_action %>" >
+<input class="hidden" type="hidden"  name="redir"  value="<%= html.html_escape(page_info.orig_action) %>" >
 <dl><dt></dt><dd><input class="submit" type="submit" value="New User"></dd></dl>
 </form>
 <H2>Existing account</H2>
 <DL>
 <% for name,user in pairs(form.value) do %>
-	<DT><IMG SRC='/skins/static/tango/16x16/apps/system-users.png' HEIGHT='16' WIDTH='16'> <%= name %></DT>
+	<DT><IMG SRC='/skins/static/tango/16x16/apps/system-users.png' HEIGHT='16' WIDTH='16'> <%= html.html_escape(name) %></DT>
 	<DD><TABLE>
 		<TR>
-			<TD STYLE='border:none;'><B><%= user.value.userid.label %></B></TD>
-			<TD STYLE='border:none;' WIDTH='90%'><%= user.value.userid.value %></TD>
+			<TD STYLE='border:none;'><B><%= html.html_escape(user.value.userid.label) %></B></TD>
+			<TD STYLE='border:none;' WIDTH='90%'><%= html.html_escape(user.value.userid.value) %></TD>
 		</TR><TR>
-			<TD STYLE='border:none;'><B><%= user.value.username.label %></B></TD>
-			<TD STYLE='border:none;'><%= user.value.username.value %></TD>
+			<TD STYLE='border:none;'><B><%= html.html_escape(user.value.username.label) %></B></TD>
+			<TD STYLE='border:none;'><%= html.html_escape(user.value.username.value) %></TD>
 		</TR><TR>
-			<TD STYLE='border:none;'><B><%= user.value.roles.label %></B></TD>
-			<TD STYLE='border:none;'><%= table.concat(user.value.roles.value, " / ") %></TD>
+			<TD STYLE='border:none;'><B><%= html.html_escape(user.value.roles.label) %></B></TD>
+			<TD STYLE='border:none;'><%= html.html_escape(table.concat(user.value.roles.value, " / ")) %></TD>
 		</TR><TR>
 			<TD STYLE='border:none;'><B>Option</B></TD>
 			<TD STYLE='border:none;'>
-			[<A HREF='edituser?userid=<%= name %>&redir=<%= page_info.orig_action %>'>Edit this account</A>]
-			[<A HREF='deleteuser?userid=<%= name %>'>Delete this account</A>]
-			[<A HREF='<%= page_info.script %>/acf-util/roles/viewuserroles?userid=<%= name %>'>View roles for this account</A>]
+			[<A HREF='edituser?userid=<%= html.html_escape(name) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this account</A>]
+			[<A HREF='deleteuser?userid=<%= html.html_escape(name) %>'>Delete this account</A>]
+			[<A HREF='<%= html.html_escape(page_info.script) %>/acf-util/roles/viewuserroles?userid=<%= html.html_escape(name) %>'>View roles for this account</A>]
 			</TD>
 		</TR>
 	</TABLE></DD>
diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp
index 1997a97..f243ecb 100644
--- a/app/acf-util/roles-editrole-html.lsp
+++ b/app/acf-util/roles-editrole-html.lsp
@@ -5,7 +5,7 @@
 	io.write(html.cfe_unpack(form))
 --]] %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	displayformstart(form, page_info)
 	-- If editing existing role, disable role
@@ -23,7 +23,7 @@
 		myitem.class = "error"
 		io.write(' class="error"')
 	end
-	io.write(">" .. myitem.label .. "</DT>\n")
+	io.write(">" .. html.html_escape(myitem.label) .. "</DT>\n")
 	io.write("<DD>")
 	-- FIXME multiple select doesn't work in haserl, so use series of checkboxes
 	myitem.class = nil
@@ -44,7 +44,7 @@
 		myitem.checked = reverseval[val]
 		if reversedefault[val] then myitem.disabled = true else myitem.disabled = nil end
 		myitem.name = tempname .. "." .. x
-		io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+		io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n")
 	end
 	-- Check for values not in options
 	if myitem.errtxt then
@@ -55,7 +55,7 @@
 		if not reverseopt[val] then
 			myitem.value = val
 			myitem.checked = true
-			io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+			io.write(html.form.checkbox(myitem) .. html.html_escape(val) .. "<br>\n")
 		end
 	end
 	if myitem.errtxt then
@@ -64,8 +64,8 @@
 	myitem.name = tempname
 	myitem.value = tempval
 
-	if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end
-	if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end
+	if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(html.html_escape(myitem.descr), "\n", "<BR>") .. "</P>\n") end
+	if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(html.html_escape(myitem.errtxt), "\n", "<BR>") .. "</P>\n") end
 	io.write("</DD>\n")
 
 	io.write("</DL>\n")
diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp
index 16e4747..d61e60a 100644
--- a/app/acf-util/roles-html.lsp
+++ b/app/acf-util/roles-html.lsp
@@ -5,17 +5,17 @@
 
 <% ---[[ %>
 <% if view.value.userid then %>
-	<H1>Roles/Permission list for <%= view.value.userid.value %>:</H1>
+	<H1>Roles/Permission list for <%= html.html_escape(view.value.userid.value) %>:</H1>
 <% elseif view.value.role then %>
-	<H1>Permission list for <%= view.value.role.value %>:</H1>
+	<H1>Permission list for <%= html.html_escape(view.value.role.value) %>:</H1>
 <% else %>
 	<H1>Complete permission list:</H1>
 <% end %>
 
 <% if view.value.roles then %>
-	<H2><%= view.value.userid.value %> is valid in these roles</H2>
+	<H2><%= html.html_escape(view.value.userid.value) %> is valid in these roles</H2>
 	<% for a,b in pairs(view.value.roles.value) do
-		print("<li>",b,"</li>")
+		print("<li>",html.html_escape(b),"</li>")
 	end %>
 <% end %>
 <% --]] %>
@@ -23,9 +23,9 @@
 <% ---[[ %>
 <% if view.value.permissions then %>
 	<% if view.value.userid then %>
-		<H2><%= view.value.userid.value %>'s full permissions are</H2>
+		<H2><%= html.html_escape(view.value.userid.value) %>'s full permissions are</H2>
 	<% elseif view.value.role then %>
-		<H2><%= view.value.role.value %>'s full permissions are</H2>
+		<H2><%= html.html_escape(view.value.role.value) %>'s full permissions are</H2>
 	<% end %>
 	<% local controllers = {}
 	   -- It's nice to have it in alphabetical order
@@ -36,7 +36,7 @@
 	   io.write("<TABLE>")
 	   io.write("<TR><TD CLASS='header'>Controller</TD><TD CLASS='header'>Action(s)</TD>")
 	   for x,cont in ipairs(controllers) do
-		print("<TR><TD STYLE='font-weight:bold;'>",cont,"</TD><TD>")
+		print("<TR><TD STYLE='font-weight:bold;'>",html.html_escape(cont),"</TD><TD>")
 		-- Again, alphabetical order
 		local actions = {}
 		for act in pairs(view.value.permissions.value[cont]) do
@@ -44,7 +44,7 @@
 		end
 		table.sort(actions)
 		for y,act in pairs(actions) do
-			print(act)
+			print(html.html_escape(act))
 		end
 		io.write("<TD></TR>")
 	    end
diff --git a/app/acf-util/roles-viewroles-html.lsp b/app/acf-util/roles-viewroles-html.lsp
index 0334499..46fdfc2 100644
--- a/app/acf-util/roles-viewroles-html.lsp
+++ b/app/acf-util/roles-viewroles-html.lsp
@@ -9,8 +9,8 @@
 
 <H1>Roles</H1>
 <H2>Create new role</H2>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller %>/newrole" method="POST">
-<input class="hidden" type="hidden"  name="redir"  value="<%= page_info.orig_action %>" >
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller) %>/newrole" method="POST">
+<input class="hidden" type="hidden"  name="redir"  value="<%= html.html_escape(page_info.orig_action) %>" >
 <dl><dt></dt><dd><input class="submit" type="submit" value="New Role"></dd></dl>
 </form>
 
@@ -18,10 +18,10 @@
 <% if view.value.default_roles then %>
 	<dl>
 	<% for x,role in pairs(view.value.default_roles.value) do %>
-		<dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= role %></dt>
+		<dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= html.html_escape(role) %></dt>
 		<dd>
-		[<a href='viewroleperms?role=<%= role %>'>View this role</a>]
-		[<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>]
+		[<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>]
+		[<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>]
 		</dd>
 	<% end %>
 	</dl>
@@ -30,11 +30,11 @@
 	<dl>
 	<% table.sort(view.value.defined_roles.value) %>
 	<% for x,role in pairs(view.value.defined_roles.value) do %>
-		<dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= role %></dt>
+		<dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= html.html_escape(role) %></dt>
 		<dd>
-		[<a href='viewroleperms?role=<%= role %>'>View this role</a>]
-		[<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>]
-		[<a href='deleterole?role=<%= role %>'>Delete this role</a>]
+		[<a href='viewroleperms?role=<%= html.html_escape(role) %>'>View this role</a>]
+		[<a href='editrole?role=<%= html.html_escape(role) %>&redir=<%= html.html_escape(page_info.orig_action) %>'>Edit this role</a>]
+		[<a href='deleterole?role=<%= html.html_escape(role) %>'>Delete this role</a>]
 		</dd>
 	<% end %>
 	</dl>
diff --git a/app/dispatcherror-html.lsp b/app/dispatcherror-html.lsp
index ce6b5c8..82f873f 100644
--- a/app/dispatcherror-html.lsp
+++ b/app/dispatcherror-html.lsp
@@ -27,4 +27,4 @@
 
 <h1>Alpine Configuration Framework</h1>
 <p class="errordetail">Dispatch error occured</p>
-<p class="hiddendetail">'<%= view.controller %>' does not have a '<%= view.action %>' action.</p>
+<p class="hiddendetail">'<%= html.html_escapt(view.controller) %>' does not have a '<%= html.html_escape(view.action) %>' action.</p>
diff --git a/app/exception-html.lsp b/app/exception-html.lsp
index 9b7a441..3bd6621 100644
--- a/app/exception-html.lsp
+++ b/app/exception-html.lsp
@@ -27,4 +27,4 @@
 
 <h1>Alpine Configuration Framework</h1>
 <p class="errordetail">Application error occured</p>
-<p class="hiddendetail"><%= view.message %></p>
+<p class="hiddendetail"><%= html.html_escape(view.message) %></p>
diff --git a/app/filedetails-html.lsp b/app/filedetails-html.lsp
index ccf7a0c..59d0cdd 100644
--- a/app/filedetails-html.lsp
+++ b/app/filedetails-html.lsp
@@ -20,13 +20,13 @@ displayitem(form.value.mtime)
 <% if form.type == "form" then %>
 <% form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>
 <% displayformstart(form) %>
-<input type="hidden" name="filename" value="<%= form.value.filename.value %>">
+<input type="hidden" name="filename" value="<%= html.html_escape(form.value.filename.value) %>">
 <% end %>
 <textarea name="filecontent">
 <%= html.html_escape(form.value.filecontent.value) %>
 </textarea>
-<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(form.value.filecontent.errtxt, "\n", "<BR>") %></P><% end %>
-<% if form.value.filecontent.descr then %><P CLASS='descr'><%= string.gsub(form.value.filecontent.descr, "\n", "<BR>") %></P><% end %>
+<% if form.value.filecontent.errtxt then %><P CLASS='error'><%= string.gsub(html.html_escape(form.value.filecontent.errtxt), "\n", "<BR>") %></P><% end %>
+<% if form.value.filecontent.descr then %><P CLASS='descr'><%= string.gsub(html.html_escape(form.value.filecontent.descr), "\n", "<BR>") %></P><% end %>
 
 <% if form.type == "form" then %>
 <H3>Save</H3>
diff --git a/app/form-html.lsp b/app/form-html.lsp
index de09780..cc50d2c 100644
--- a/app/form-html.lsp
+++ b/app/form-html.lsp
@@ -2,7 +2,7 @@
 require("viewfunctions")
 %>
 
-<H1><%= form.label %></H1>
+<H1><%= html.html_escape(form.label) %></H1>
 <%
 	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
 	displayform(form)
diff --git a/app/startstop-html.lsp b/app/startstop-html.lsp
index cbe4d5f..ab9b8ac 100644
--- a/app/startstop-html.lsp
+++ b/app/startstop-html.lsp
@@ -2,7 +2,7 @@
 
 <H1>Management</H1>
 <DL>
-<form action="<%= page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action %>" method="POST">
+<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>" method="POST">
 <DT>Program control-panel</DT>
 <DD>
 <input class="submit" type="submit" name="action" value="Start" <% if data.value.status.value== "Running" then io.write("disabled") end %>>
@@ -15,9 +15,9 @@
 <DT>Previous action result</DT>
 <DD>
 <% if data.value.result.value ~= "" then %>
-<P CLASS='descr'><%= string.gsub(data.value.result.value, "\n", "<BR>") %></P>
+<P CLASS='descr'><%= string.gsub(html.html_escape(data.value.result.value), "\n", "<BR>") %></P>
 <% end if data.value.result.errtxt then %>
-<P CLASS='error'><%= string.gsub(data.value.result.errtxt, "\n", "<BR>") %></P>
+<P CLASS='error'><%= string.gsub(html.html_escape(data.value.result.errtxt), "\n", "<BR>") %></P>
 <% end end %>
 </DD>
 </DL>
diff --git a/app/status-html.lsp b/app/status-html.lsp
index f1e4c5c..8bd53db 100644
--- a/app/status-html.lsp
+++ b/app/status-html.lsp
@@ -12,13 +12,13 @@ displayitem(data.value.status)
 displayitem(data.value.version)
 if data.value.version and data.value.version.errtxt and session.permissions.apk and session.permissions.apk.install then
 %>
-	<a href="<%= page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name %>">Install</a>
+	<a href="<%= html.html_escape(page_info.script .. "/apk-tools/apk/install?package="..data.value.version.name) %>">Install</a>
 <%
 end
 
 displayitem(data.value.autostart)
 if not (data.value.version and data.value.version.errtxt) and data.value.autostart and data.value.autostart.errtxt and session.permissions.rc and session.permissions.rc.edit then
 %>
-	<a href="<%= page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action %>">Schedule autostart</a>
+	<a href="<%= html.html_escape(page_info.script .. "/alpine-baselayout/rc/edit?servicename="..data.value.autostart.name.."&redir=".. page_info.orig_action) %>">Schedule autostart</a>
 <% end %>
 </DL>
diff --git a/app/template-html.lsp b/app/template-html.lsp
index 4cd4f4d..cf6054b 100644
--- a/app/template-html.lsp
+++ b/app/template-html.lsp
@@ -22,11 +22,11 @@ if viewlibrary and viewlibrary.dispatch_component then
 	end
 end
 %>
-<title><%= hostname .. " - " .. pageinfo.controller .. "->" .. pageinfo.action %></title>
-<link rel="stylesheet" type="text/css" href="<%= pageinfo.skindir %>static/reset.css">
-<link rel="stylesheet" type="text/css" href="<%= pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin..".css" %>">
+<title><%= html.html_escape(hostname .. " - " .. pageinfo.controller .. "->" .. pageinfo.action) %></title>
+<link rel="stylesheet" type="text/css" href="<%= html.html_escape(pageinfo.skindir) %>static/reset.css">
+<link rel="stylesheet" type="text/css" href="<%= html.html_escape(pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin..".css") %>">
 <!--[if IE]>
-<link rel="stylesheet" type="text/css" href="<%= pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin.."-ie.css" %>">
+<link rel="stylesheet" type="text/css" href="<%= html.html_escape(pageinfo.skindir .. pageinfo.skin.."/"..pageinfo.skin.."-ie.css") %>">
 <![endif]-->
 </head>
 <body>
@@ -39,7 +39,7 @@ end
 		<div id="logo">
 			<div class="leader"></div>
 			<h1>AlpineLinux</h1>
-			<p><%= hostname or "unknown hostname" %></p>
+			<p><%= html.html_escape(hostname or "unknown hostname") %></p>
 			<div class="tailer"></div>
 		</div>
 		<span class="mute">
@@ -47,9 +47,9 @@ end
 			<% local ctlr = pageinfo.script .. "/acf-util/logon/"
 			
 			if session.userinfo and session.userinfo.userid then
-			   io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log out as '" .. session.userinfo.userid .. "'</a>\n", ctlr .. "logout" ) )
+			   io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log out as '" .. html.html_escape(session.userinfo.userid) .. "'</a>\n", html.html_escape(ctlr) .. "logout" ) )
 			else
-			   io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log in</a>\n", ctlr .. "logon" ) )
+			   io.write ( string.format("\t\t\t\t\t\t<a href=\"%s\">Log in</a>\n", html.html_escape(ctlr) .. "logon" ) )
 			end %>
 			 | 
 			<a href="/">home</a> | 
@@ -72,7 +72,7 @@ end
 			local tabs
 			io.write ( "<ul>")
 			for x,cat in ipairs(session.menu.cats) do
-				io.write (string.format("\n\t\t\t\t<li>%s\n\t\t\t\t\t<ul>\n", cat.name))	--start row
+				io.write (string.format("\n\t\t\t\t<li>%s\n\t\t\t\t\t<ul>\n", html.html_escape(cat.name)))	--start row
 				for y,group in ipairs(cat.groups) do
 					if pageinfo.prefix == group.prefix .. '/' and pageinfo.controller == group.controller then
 						class="class='selected'"
@@ -81,7 +81,7 @@ end
 						class=""
 					end
 					io.write (string.format("\t\t\t\t\t\t<li %s><a href=\"%s%s/%s/%s\">%s</a></li>\n", 
-						class,pageinfo.script,group.prefix, group.controller, group.tabs[1].action, group.name ))
+						html.html_escape(class),html.html_escape(pageinfo.script),html.html_escape(group.prefix), html.html_escape(group.controller), html.html_escape(group.tabs[1].action), html.html_escape(group.name) ))
 				end
 				io.write ( "\t\t\t\t\t</ul>" )
 			  end
@@ -96,7 +96,7 @@ end
 		<div id="postnav">
 			<div class="leader">
 			</div>
-			<h2><%= pageinfo.controller %> : <%= pageinfo.action %></h2>
+			<h2><%= html.html_escape(pageinfo.controller) %> : <%= html.html_escape(pageinfo.action) %></h2>
 			<!-- FIXME: Next row is 'dead' data! Remove 'class=hide' when done! -->
 			<p class='hide'>[ welcome ] > [ login ] > [ bgp ] > [ firewall ] > [ content filter ] > [ interfaces ]</p>
 			<div class="tailer">
@@ -119,7 +119,7 @@ end
 					class=""
 				end
 				io.write (string.format('<li %s><a %s href="%s">%s</a></li>\n',
-							class,class,tab.action,tab.name ))
+							html.html_escape(class),html.html_escape(class),html.html_escape(tab.action),html.html_escape(tab.name) ))
 			end
 			%>
 			</ul>
@@ -144,7 +144,7 @@ end
 	<div id="footer">
 		<div class="leader">
 		</div>
-		<p>Page generated in <%= os.clock() %> seconds on <%= os.date() %>.</p>
+		<p>Page generated in <%= html.html_escape(os.clock()) %> seconds on <%= html.html_escape(os.date()) %>.</p>
 		<div class="tailer">
 		</div>
 	</div> <!-- footer -->