From 5c31937a0f0bf8fa2f0161cadae9688fff9c227e Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 7 Apr 2018 11:43:44 +0200 Subject: [PATCH] luci-base: escape path strings and field parameter Prevent various XSS vectors by not interpolating field and path values verbatim into script and html contexts. Signed-off-by: Jo-Philipp Wich --- .../luci-base/luasrc/view/cbi/filebrowser.htm | 61 ++++++++++--------- 1 file changed, 33 insertions(+), 28 deletions(-) diff --git a/modules/luci-base/luasrc/view/cbi/filebrowser.htm b/modules/luci-base/luasrc/view/cbi/filebrowser.htm index a79beebba7..806b1b5f40 100644 --- a/modules/luci-base/luasrc/view/cbi/filebrowser.htm +++ b/modules/luci-base/luasrc/view/cbi/filebrowser.htm @@ -22,9 +22,9 @@