From 23029f5163a4864922056bf1f043914b1b806967 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 12 Feb 2019 08:32:02 +0100
Subject: [PATCH] treewide: avoid double-escaping CBI section labels

Since the section labels are already HTML-escaped implicitely by the
striptags() function, we must not escape them again in attr() or
ifattr().

Fixes: #2524
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit eda8f02dac3caa4d0f52cd1e860d7a392c295df3)
---
 .../luci-app-adblock/luasrc/view/adblock/blocklist.htm        | 2 +-
 modules/luci-base/luasrc/view/cbi/cell_valueheader.htm        | 4 ++--
 modules/luci-base/luasrc/view/cbi/tblsection.htm              | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/applications/luci-app-adblock/luasrc/view/adblock/blocklist.htm b/applications/luci-app-adblock/luasrc/view/adblock/blocklist.htm
index a6f2286513..a76c98012c 100644
--- a/applications/luci-app-adblock/luasrc/view/adblock/blocklist.htm
+++ b/applications/luci-app-adblock/luasrc/view/adblock/blocklist.htm
@@ -62,7 +62,7 @@ local anonclass  = (not self.anonymous or self.sectiontitle) and "named" or "ano
 				for i, k in ipairs(self:cfgsections()) do
 					section = k
 					local sectionname  = striptags((type(self.sectiontitle) == "function") and self:sectiontitle(section) or k)
-					local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname)
+					local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname, true)
 					isempty = false
 					scope = { valueheader = "cbi/cell_valueheader", valuefooter = "cbi/cell_valuefooter" }
 			-%>
diff --git a/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm b/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm
index ea0568f409..cb11d8f61a 100644
--- a/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm
+++ b/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm
@@ -6,7 +6,7 @@
 <div class="td cbi-value-field<% if self.error and self.error[section] then %> cbi-value-error<% end %>"<%=
 	attr("data-name", self.option) ..
 	ifattr(ftype and #ftype > 0, "data-type", ftype) ..
-	ifattr(title and #title > 0, "data-title", title) ..
-	ifattr(descr and #descr > 0, "data-description", descr)
+	ifattr(title and #title > 0, "data-title", title, true) ..
+	ifattr(descr and #descr > 0, "data-description", descr, true)
 %>>
 <div id="cbi-<%=self.config.."-"..section.."-"..self.option%>" data-index="<%=self.index%>" data-depends="<%=pcdata(self:deplist2json(section))%>">
diff --git a/modules/luci-base/luasrc/view/cbi/tblsection.htm b/modules/luci-base/luasrc/view/cbi/tblsection.htm
index 408dfa7fe8..11c2206d8c 100644
--- a/modules/luci-base/luasrc/view/cbi/tblsection.htm
+++ b/modules/luci-base/luasrc/view/cbi/tblsection.htm
@@ -127,7 +127,7 @@ end
 				section = k
 
 				local sectionname = striptags((type(self.sectiontitle) == "function") and self:sectiontitle(section) or k)
-				local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname)
+				local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname, true)
 				local colorclass = (self.extedit or self.rowcolors) and rowstyle() or ""
 				local scope = {
 					valueheader = "cbi/cell_valueheader",
-- 
2.30.2