luci-mod-system: fix potential stored XSS

Make sure to escape the key contents in the delete confirmation dialog.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
index df3e354e37fc669f728d96f362b31dbfd0b87147..a1748ad9907ea23c49e0cfbd231ca3f59be1fa83 100644 (file)
--- a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
+++ b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
@@ -204,7 +204,7 @@ function removeKey(ev) {
 
        L.showModal(_('Delete key'), [
                E('div', _('Do you really want to delete the following SSH key?')),
-               E('pre', delkey),
+               E('pre', [ delkey ]),
                E('div', { class: 'right' }, [
                        E('div', { class: 'btn', click: L.hideModal }, _('Cancel')),
                        ' ',