From f25285a6c26e8776f153994704710cb8e51fad91 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 21 Sep 2022 14:47:41 +0200
Subject: [PATCH] luci-mod-system: sshkeys.js: prevent XSS through pubkey
 comments

Ensure to not display public key comments verbatim in order to prevent
injection of markup.

Reported-by: Eric McDonald <ericmcdonald@protonmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 944b55738e7f9685865d5298248b7fbd7380749e)
---
 .../htdocs/luci-static/resources/view/system/sshkeys.js         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
index 9269a69395..bbb6d050d2 100644
--- a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
+++ b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
@@ -109,7 +109,7 @@ function renderKeyItem(pubkey) {
 		click: removeKey,
 		'data-key': pubkey.src
 	}, [
-		E('strong', pubkey.comment || _('Unnamed key')), E('br'),
+		E('strong', [ pubkey.comment || _('Unnamed key') ]), E('br'),
 		E('small', [
 			'%s, %s'.format(pubkey.type, pubkey.curve || _('%d Bit').format(pubkey.bits)),
 			pubkey.options ? E([], [
-- 
2.30.2