From 15ca915da92686dce86be05c205118f57ec7015a Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Wed, 9 Jun 2021 01:28:44 +0200 Subject: [PATCH] themes: Call striptags() on hostname to prevent XSS This calls striptags() on the hostname to prevent any XSS over the hostname. This should fix CVE-2021-33425 as far as I understood it. If someone adds some Javascript into system.@system[0].hostname it would have been directly added to the page, this prevents the problem. This can only be exploited by someone being able to modify the uci configuration, normally a user with such privileges could also just modify the webpage. Signed-off-by: Hauke Mehrtens (cherry picked from commit 5cbd79d7e31c0f0feaea2770bf102bbae7831e3c) --- .../luasrc/view/themes/bootstrap/header.htm | 2 +- .../luci-theme-material/luasrc/view/themes/material/header.htm | 2 +- .../luasrc/view/themes/openwrt.org/header.htm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm index 5e3687935b..99ffc21074 100644 --- a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm +++ b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm @@ -41,7 +41,7 @@
diff --git a/themes/luci-theme-material/luasrc/view/themes/material/header.htm b/themes/luci-theme-material/luasrc/view/themes/material/header.htm index 5abfb481b6..d6e50c40cd 100644 --- a/themes/luci-theme-material/luasrc/view/themes/material/header.htm +++ b/themes/luci-theme-material/luasrc/view/themes/material/header.htm @@ -190,7 +190,7 @@
- <%=boardinfo.hostname or "?"%> + <%=striptags(boardinfo.hostname or "?")%>