projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 91f3929) | patch
themes: Call striptags() on hostname to prevent XSS
authorHauke Mehrtens <hauke@hauke-m.de>
Tue, 8 Jun 2021 23:28:44 +0000 (01:28 +0200)
committerHauke Mehrtens <hauke@hauke-m.de>
Wed, 9 Jun 2021 19:07:45 +0000 (21:07 +0200)
commit15ca915da92686dce86be05c205118f57ec7015a
treee244b76f0bf5ae0165057a959249f7ab58a47f20tree | snapshot
parent91f392950096896d7ed66fc697fc06ba884995afcommit | diff
themes: Call striptags() on hostname to prevent XSS

This calls striptags() on the hostname to prevent any XSS over the
hostname. This should fix CVE-2021-33425 as far as I understood it.

If someone adds some Javascript into system.@system[0].hostname it would
have been directly added to the page, this prevents the problem.

This can only be exploited by someone being able to modify the uci
configuration, normally a user with such privileges could also just
modify the webpage.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5cbd79d7e31c0f0feaea2770bf102bbae7831e3c)
themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm diff | blob | history
themes/luci-theme-material/luasrc/view/themes/material/header.htm diff | blob | history
themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm diff | blob | history
Lua Configuration Interface (mirror)