From 5cbd79d7e31c0f0feaea2770bf102bbae7831e3c Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Wed, 9 Jun 2021 01:28:44 +0200 Subject: [PATCH] themes: Call striptags() on hostname to prevent XSS This calls striptags() on the hostname to prevent any XSS over the hostname. This should fix CVE-2021-33425 as far as I understood it. If someone adds some Javascript into system.@system[0].hostname it would have been directly added to the page, this prevents the problem. This can only be exploited by someone being able to modify the uci configuration, normally a user with such privileges could also just modify the webpage. Signed-off-by: Hauke Mehrtens --- .../luasrc/view/themes/bootstrap/header.htm | 2 +- .../luci-theme-material/luasrc/view/themes/material/header.htm | 2 +- .../luasrc/view/themes/openwrt2020/header.htm | 2 +- .../luasrc/view/themes/openwrt.org/header.htm | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm index ad2d7feef5..81a23d63af 100644 --- a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm +++ b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm @@ -41,7 +41,7 @@
- <%=boardinfo.hostname or "?"%> + <%=striptags(boardinfo.hostname or "?")%>
diff --git a/themes/luci-theme-material/luasrc/view/themes/material/header.htm b/themes/luci-theme-material/luasrc/view/themes/material/header.htm index f81aae5ac1..8c418b6fc2 100644 --- a/themes/luci-theme-material/luasrc/view/themes/material/header.htm +++ b/themes/luci-theme-material/luasrc/view/themes/material/header.htm @@ -190,7 +190,7 @@
- <%=boardinfo.hostname or "?"%> + <%=striptags(boardinfo.hostname or "?")%>