git.openwrt.org Git - project/luci.git/commit - themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm

author	Hauke Mehrtens <hauke@hauke-m.de>
	Tue, 8 Jun 2021 23:28:44 +0000 (01:28 +0200)
committer	Hauke Mehrtens <hauke@hauke-m.de>
	Tue, 8 Jun 2021 23:33:44 +0000 (01:33 +0200)
commit	5cbd79d7e31c0f0feaea2770bf102bbae7831e3c
tree	ac1d330cb1d8ecb385ccaad940ee5e4b6e685783	tree \| snapshot
parent	da97288015e0a8919c55075d71d88890e2f339f3	commit \| diff

themes: Call striptags() on hostname to prevent XSS

This calls striptags() on the hostname to prevent any XSS over the
hostname. This should fix CVE-2021-33425 as far as I understood it.

If someone adds some Javascript into system.@system[0].hostname it would
have been directly added to the page, this prevents the problem.

This can only be exploited by someone being able to modify the uci
configuration, normally a user with such privileges could also just
modify the webpage.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm		diff \| blob \| history
themes/luci-theme-material/luasrc/view/themes/material/header.htm		diff \| blob \| history
themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm		diff \| blob \| history
themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm		diff \| blob \| history