projects / project / luci.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
themes: Call striptags() on hostname to prevent XSS
[project/luci.git] / themes / luci-theme-bootstrap / luasrc / view / themes / bootstrap / header.htm
diff --git a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
index 5e3687935b9170b42ef8b2edb2565acb28ca6544..99ffc210748fb872aab2976938db795f880e9446 100644 (file)
--- a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
+++ b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
@@ -41,7 +41,7 @@
                <header>
                        <div class="fill">
                                <div class="container">
-                                       <a class="brand" href="#"><%=boardinfo.hostname or "?"%></a>
+                                       <a class="brand" href="#"><%=striptags(boardinfo.hostname or "?")%></a>
                                        <ul class="nav" id="topmenu" style="display:none"></ul>
                                        <div id="indicators" class="pull-right"></div>
                                </div>
Lua Configuration Interface (mirror)