From bfc98bec4d79efb24434e11ea27b3c17c31365ab Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 5 Apr 2018 23:00:46 +0200 Subject: [PATCH] luci-mod-admin-full: escape display parameter Prevent reflected XSS through the reset button by url encoding the display parameter. Signed-off-by: Jo-Philipp Wich --- .../luci-mod-admin-full/luasrc/view/admin_system/packages.htm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm index d5d78289b..88e0fffd9 100644 --- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm +++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm @@ -69,7 +69,7 @@ end <% if querypat then %>
<%:Displaying only packages containing%> "<%=pcdata(query)%>" - +
<% end %> -- 2.25.1