luci-app-firewall: fix stored XSS in rule- and forward detail pages

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
index d51f8fb79b4a9ca759477ec4fd8019478543c831..bf263bb0b61ab5e92d3b6059de4a177205dde4ca 100644 (file)
--- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
+++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
@@ -25,7 +25,7 @@ else
        if not name or #name == 0 then
                name = translate("(Unnamed Entry)")
        end
-       m.title = "%s - %s" %{ translate("Firewall - Port Forwards"), name }
+       m.title = "%s - %s" %{ translate("Firewall - Port Forwards"), luci.util.pcdata(name) }
 end
 
 s = m:section(NamedSection, arg[1], "redirect", "")

diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
index def01c6690e3d5b131a623eeed2b314dc95e6cff..8f2ebf14dc053070c95796f7da843847e2da16b8 100644 (file)
--- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
+++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
@@ -39,7 +39,7 @@ elseif rule_type == "redirect" then
                name = "SNAT %s" % name
        end
 
-       m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), name }
+       m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), luci.util.pcdata(name) }
 
        s = m:section(NamedSection, arg[1], "redirect", "")
        s.anonymous = true