From: Hauke Mehrtens Date: Tue, 8 Jun 2021 23:28:44 +0000 (+0200) Subject: themes: Call striptags() on hostname to prevent XSS X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=refs%2Fpull%2F5109%2Fhead;p=project%2Fluci.git themes: Call striptags() on hostname to prevent XSS This calls striptags() on the hostname to prevent any XSS over the hostname. This should fix CVE-2021-33425 as far as I understood it. If someone adds some Javascript into system.@system[0].hostname it would have been directly added to the page, this prevents the problem. This can only be exploited by someone being able to modify the uci configuration, normally a user with such privileges could also just modify the webpage. Signed-off-by: Hauke Mehrtens --- diff --git a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm index ad2d7feef5..81a23d63af 100644 --- a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm +++ b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm @@ -41,7 +41,7 @@
diff --git a/themes/luci-theme-material/luasrc/view/themes/material/header.htm b/themes/luci-theme-material/luasrc/view/themes/material/header.htm index f81aae5ac1..8c418b6fc2 100644 --- a/themes/luci-theme-material/luasrc/view/themes/material/header.htm +++ b/themes/luci-theme-material/luasrc/view/themes/material/header.htm @@ -190,7 +190,7 @@
- <%=boardinfo.hostname or "?"%> + <%=striptags(boardinfo.hostname or "?")%>