Always escape user provided data in mainmenu fields

author Kahrl <kahrl@gmx.net>

Mon, 8 Dec 2014 06:47:51 +0000 (07:47 +0100)

committer Kahrl <kahrl@gmx.net>

Mon, 8 Dec 2014 06:48:51 +0000 (07:48 +0100)
author Kahrl <kahrl@gmx.net>
Mon, 8 Dec 2014 06:47:51 +0000 (07:47 +0100)
committer Kahrl <kahrl@gmx.net>
Mon, 8 Dec 2014 06:48:51 +0000 (07:48 +0100)
diff --git a/builtin/mainmenu/tab_multiplayer.lua b/builtin/mainmenu/tab_multiplayer.lua

index c3a7d921e2c7ced7e4d032e77f1dbb1555df0cae..b235eaecf8c3f131524285be76b3ec32e7649a4c 100644 (file)
--- a/builtin/mainmenu/tab_multiplayer.lua
+++ b/builtin/mainmenu/tab_multiplayer.lua
@@ -24,8 +24,10 @@ local function get_formspec(tabview, name, tabdata)
                 "label[1,-0.25;".. fgettext("Favorites:") .. "]"..
                 "label[1,4.25;".. fgettext("Address/Port") .. "]"..
                 "label[9,2.75;".. fgettext("Name/Password") .. "]" ..
-               "field[1.25,5.25;5.5,0.5;te_address;;" ..core.setting_get("address") .."]" ..
-               "field[6.75,5.25;2.25,0.5;te_port;;" ..core.setting_get("remote_port") .."]" ..
+               "field[1.25,5.25;5.5,0.5;te_address;;" ..
+               core.formspec_escape(core.setting_get("address")) .."]" ..
+               "field[6.75,5.25;2.25,0.5;te_port;;" ..
+               core.formspec_escape(core.setting_get("remote_port")) .."]" ..
                 "checkbox[1,3.6;cb_public_serverlist;".. fgettext("Public Serverlist") .. ";" ..
                 dump(core.setting_getbool("public_serverlist")) .. "]"
  
@@ -36,7 +38,8 @@ local function get_formspec(tabview, name, tabdata)
  
         retval = retval ..
                 "button[9,4.95;2.5,0.5;btn_mp_connect;".. fgettext("Connect") .. "]" ..
-               "field[9.3,3.75;2.5,0.5;te_name;;" ..core.setting_get("name") .."]" ..
+               "field[9.3,3.75;2.5,0.5;te_name;;" ..
+               core.formspec_escape(core.setting_get("name")) .."]" ..
                 "pwdfield[9.3,4.5;2.5,0.5;te_pwd;]" ..
                 "textarea[9.3,0.25;2.5,2.75;;"
                 
diff --git a/builtin/mainmenu/tab_server.lua b/builtin/mainmenu/tab_server.lua

index 154a54cc71116a6a74f5eed09dcfece50d3aeb04..34706efbeda9488a192b824662b2f4de82d8cedc 100644 (file)
--- a/builtin/mainmenu/tab_server.lua
+++ b/builtin/mainmenu/tab_server.lua
@@ -36,20 +36,20 @@ local function get_formspec(tabview, name, tabdata)
                 "checkbox[0.5,1.15;cb_server_announce;".. fgettext("Public") .. ";" ..
                 dump(core.setting_getbool("server_announce")) .. "]"..
                 "field[0.8,3.2;3.5,0.5;te_playername;".. fgettext("Name") .. ";" ..
-               core.setting_get("name") .. "]" ..
+               core.formspec_escape(core.setting_get("name")) .. "]" ..
                 "pwdfield[0.8,4.2;3.5,0.5;te_passwd;".. fgettext("Password") .. "]"
                 
         local bind_addr = core.setting_get("bind_address")
         if bind_addr ~= nil and bind_addr ~= "" then
                 retval = retval ..
                         "field[0.8,5.2;2.25,0.5;te_serveraddr;".. fgettext("Bind Address") .. ";" ..
-                       core.setting_get("bind_address") .."]" ..
+                       core.formspec_escape(core.setting_get("bind_address")) .."]" ..
                         "field[3.05,5.2;1.25,0.5;te_serverport;".. fgettext("Port") .. ";" ..
-                       core.setting_get("port") .."]"
+                       core.formspec_escape(core.setting_get("port")) .."]"
         else
                 retval = retval ..
                         "field[0.8,5.2;3.5,0.5;te_serverport;".. fgettext("Server Port") .. ";" ..
-                       core.setting_get("port") .."]"
+                       core.formspec_escape(core.setting_get("port")) .."]"
         end
         
         retval = retval ..
diff --git a/builtin/mainmenu/tab_simple_main.lua b/builtin/mainmenu/tab_simple_main.lua

index 0724acf87611778aa517ab2d61c59b958b66b4d3..b48e523f3c78f62e9cca0821181bc6b3dc7d2353 100644 (file)
--- a/builtin/mainmenu/tab_simple_main.lua
+++ b/builtin/mainmenu/tab_simple_main.lua
@@ -23,14 +23,17 @@ local function get_formspec(tabview, name, tabdata)
  
         retval = retval ..
                 "label[8,0.5;".. fgettext("Name/Password") .. "]" ..
-               "field[0.25,3.25;5.5,0.5;te_address;;" ..core.setting_get("address") .."]" ..
-               "field[5.75,3.25;2.25,0.5;te_port;;" ..core.setting_get("remote_port") .."]" ..
+               "field[0.25,3.25;5.5,0.5;te_address;;" ..
+               core.formspec_escape(core.setting_get("address")) .."]" ..
+               "field[5.75,3.25;2.25,0.5;te_port;;" ..
+               core.formspec_escape(core.setting_get("remote_port")) .."]" ..
                 "checkbox[8,-0.25;cb_public_serverlist;".. fgettext("Public Serverlist") .. ";" ..
                 render_details .. "]"
  
         retval = retval ..
                 "button[8,2.5;4,1.5;btn_mp_connect;".. fgettext("Connect") .. "]" ..
-               "field[8.75,1.5;3.5,0.5;te_name;;" ..core.setting_get("name") .."]" ..
+               "field[8.75,1.5;3.5,0.5;te_name;;" ..
+               core.formspec_escape(core.setting_get("name")) .."]" ..
                 "pwdfield[8.75,2.3;3.5,0.5;te_pwd;]"
  
         --favourites
author	Kahrl <kahrl@gmx.net>
	Mon, 8 Dec 2014 06:47:51 +0000 (07:47 +0100)
committer	Kahrl <kahrl@gmx.net>
	Mon, 8 Dec 2014 06:48:51 +0000 (07:48 +0100)
builtin/mainmenu/tab_multiplayer.lua		patch \| blob \| history
builtin/mainmenu/tab_server.lua		patch \| blob \| history
builtin/mainmenu/tab_simple_main.lua		patch \| blob \| history