luci-mod-admin-full: escape display parameter

author Jo-Philipp Wich <jo@mein.io>

Thu, 5 Apr 2018 21:00:46 +0000 (23:00 +0200)

committer Jo-Philipp Wich <jo@mein.io>

Thu, 5 Apr 2018 21:03:01 +0000 (23:03 +0200)
author Jo-Philipp Wich <jo@mein.io>
Thu, 5 Apr 2018 21:00:46 +0000 (23:00 +0200)
committer Jo-Philipp Wich <jo@mein.io>
Thu, 5 Apr 2018 21:03:01 +0000 (23:03 +0200)
diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm

index d5d78289be3f38fa478cbd4651aebda08824e925..88e0fffd9c82c2cee3d5b41c4172c187b6015ab9 100644 (file)
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
@@ -69,7 +69,7 @@ end
                                 <% if querypat then %>
                                 <div class="cbi-value">
                                         <%:Displaying only packages containing%> <strong>"<%=pcdata(query)%>"</strong>
-                                       <input type="button" onclick="location.href='?display=<%=pcdata(display)%>'" href="#" class="cbi-button cbi-button-reset" style="margin-left:1em" value="<%:Reset%>" />
+                                       <input type="button" onclick="location.href='?display=<%=luci.http.urlencode(display)%>'" href="#" class="cbi-button cbi-button-reset" style="margin-left:1em" value="<%:Reset%>" />
                                         <br style="clear:both" />
                                 </div>
                                 <% end %>
author	Jo-Philipp Wich <jo@mein.io>
	Thu, 5 Apr 2018 21:00:46 +0000 (23:00 +0200)
committer	Jo-Philipp Wich <jo@mein.io>
	Thu, 5 Apr 2018 21:03:01 +0000 (23:03 +0200)