From e2abb45b0ef3cc7c527e73f3d6677a861a6875e0 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 12 May 2021 11:49:31 +0200
Subject: [PATCH] luci-mod-status: fix potential XSS via specially crafted DNS
 names

When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b1651aa25afbff09bee45047da9a0ba43d)
---
 .../htdocs/luci-static/resources/view/status/connections.js   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
index 9d97569d22..a87fe53fed 100644
--- a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
+++ b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
@@ -133,8 +133,8 @@ return view.extend({
 			rows.push([
 				c.layer3.toUpperCase(),
 				c.layer4.toUpperCase(),
-				c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src,
-				c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst,
+				'%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src),
+				'%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst),
 				'%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.'))
 			]);
 		}
-- 
2.30.2