luci-app-firewall: fix stored XSS in rule- and forward detail pages

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 2a143f4777e5ec57dfc6c63d55bf80600486efd7)

diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
index d51f8fb79b4a9ca759477ec4fd8019478543c831..bf263bb0b61ab5e92d3b6059de4a177205dde4ca 100644 (file)
--- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
+++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
@@ -25,7 +25,7 @@ else
        if not name or #name == 0 then
                name = translate("(Unnamed Entry)")
        end
-       m.title = "%s - %s" %{ translate("Firewall - Port Forwards"), name }
+       m.title = "%s - %s" %{ translate("Firewall - Port Forwards"), luci.util.pcdata(name) }
 end
 
 s = m:section(NamedSection, arg[1], "redirect", "")

diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
index a4763d5dc4f8cdb58bc6d42c2a3f8238b43179cb..48329c8b219b92e4889c081430055fda006b87f1 100644 (file)
--- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
+++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
@@ -44,7 +44,7 @@ elseif rule_type == "redirect" then
                name = "SNAT %s" % name
        end
 
-       m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), name }
+       m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), luci.util.pcdata(name) }
 
        local wan_zone = nil