luci-app-openvpn: fix potential XSS in pageswitch template

Ensure to escape URL instance parameter displayed in the heading.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 25983b9fa572a640a7ecd077378df2790266cd61)

diff --git a/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm b/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
index 07927630855b4f9c4851d48bc88938b66203f4e8..c464ef4781b160b4f2cb9c5899dbf4fa5d77bf49 100644 (file)
--- a/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
+++ b/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
@@ -9,7 +9,7 @@
 <div class="cbi-section">
        <h3>
                <a href="<%=url('admin/vpn/openvpn')%>"><%:Overview%></a> &#187;
-               <%=luci.i18n.translatef("Instance \"%s\"", self.instance)%>
+               <%=luci.i18n.translatef("Instance \"%s\"", pcdata(self.instance))%>
        </h3>
        <% if self.mode == "basic" then %>
                <a href="<%=url('admin/vpn/openvpn/advanced', self.instance)%>"><%:Switch to advanced configuration%> &#187;</a><p/>