From: Jo-Philipp Wich Date: Thu, 5 Apr 2018 21:00:46 +0000 (+0200) Subject: luci-mod-admin-full: escape display parameter X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=bfc98bec4d79efb24434e11ea27b3c17c31365ab;p=project%2Fluci.git luci-mod-admin-full: escape display parameter Prevent reflected XSS through the reset button by url encoding the display parameter. Signed-off-by: Jo-Philipp Wich --- diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm index d5d78289be..88e0fffd9c 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm @@ -69,7 +69,7 @@ end <% if querypat then %>
<%:Displaying only packages containing%> "<%=pcdata(query)%>" - +
<% end %>