projects / project / luci.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
themes: Call striptags() on hostname to prevent XSS
[project/luci.git] / themes / luci-theme-openwrt / luasrc / view / themes / openwrt.org / header.htm
diff --git a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
index fafd86f35e483b8f5faae6f49d99e26bba90afef..77c86596fcae65efe0eaac2be1e8b38ea5ac2270 100644 (file)
--- a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
+++ b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
@@ -50,7 +50,7 @@
 <h2 class="navigation"><a id="navigation" name="navigation"><%:Navigation%></a></h2>
 
 <div class="hostinfo">
-       <%=(boardinfo.hostname or "?")%> | <%=ver.distversion%> |
+       <%=striptags(boardinfo.hostname or "?")%> | <%=ver.distversion%> |
        <%:Load%>: <%="%.2f" % (loadinfo[1] / 65535.0)%> <%="%.2f" % (loadinfo[2] / 65535.0)%> <%="%.2f" % (loadinfo[3] / 65535.0)%>
 </div>
 
Lua Configuration Interface (mirror)