From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 13 Sep 2019 11:23:23 +0000 (+0200)
Subject: luci-app-firewall: fix stored XSS in rule- and forward detail pages
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=2a143f4777e5ec57dfc6c63d55bf80600486efd7;p=oweals%2Fluci.git

luci-app-firewall: fix stored XSS in rule- and forward detail pages

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
index d51f8fb79..bf263bb0b 100644
--- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
+++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua
@@ -25,7 +25,7 @@ else
 	if not name or #name == 0 then
 		name = translate("(Unnamed Entry)")
 	end
-	m.title = "%s - %s" %{ translate("Firewall - Port Forwards"), name }
+	m.title = "%s - %s" %{ translate("Firewall - Port Forwards"), luci.util.pcdata(name) }
 end
 
 s = m:section(NamedSection, arg[1], "redirect", "")
diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
index def01c669..8f2ebf14d 100644
--- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
+++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua
@@ -39,7 +39,7 @@ elseif rule_type == "redirect" then
 		name = "SNAT %s" % name
 	end
 
-	m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), name }
+	m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), luci.util.pcdata(name) }
 
 	s = m:section(NamedSection, arg[1], "redirect", "")
 	s.anonymous = true