themes: ensure that data-page attribute is escaped

Fixes: #3757
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 5d7dc391d4)

themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm

@@ -151,7 +151,7 @@
 		<script src="<%=resource%>/xhr.js"></script>
 	</head>
 
-	<body class="lang_<%=luci.i18n.context.lang%> <% if node then %><%= striptags( node.title ) %><%- end %>" data-page="<%= table.concat(disp.context.requestpath, "-") %>">
+	<body class="lang_<%=luci.i18n.context.lang%> <% if node then %><%= striptags( node.title ) %><%- end %>" data-page="<%= pcdata(table.concat(disp.context.requestpath, "-")) %>">
 		<header>
 			<div class="fill">
 				<div class="container">

themes/luci-theme-material/luasrc/view/themes/material/header.htm

@@ -181,7 +181,7 @@
 	<script src="<%=resource%>/cbi.js"></script>
 	<script src="<%=resource%>/xhr.js"></script>
 </head>
-<body class="lang_<%=luci.i18n.context.lang%> <% if node then %><%= striptags( node.title ) %><% end %> <% if luci.dispatcher.context.authsession then %>logged-in<% end %>" data-page="<%= table.concat(disp.context.requestpath, "-") %>">
+<body class="lang_<%=luci.i18n.context.lang%> <% if node then %><%= striptags( node.title ) %><% end %> <% if luci.dispatcher.context.authsession then %>logged-in<% end %>" data-page="<%= pcdata(table.concat(disp.context.requestpath, "-")) %>">
 <header>
 	<div class="fill">
 		<div class="container">

themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm

@@ -187,7 +187,7 @@
 //]]></script>
 <title><%=striptags( (boardinfo.hostname or "?") .. ( (node and node.title) and ' - ' .. translate(node.title) or '')) %> - LuCI</title>
 </head>
-<body class="lang_<%=luci.i18n.context.lang%>" data-page="<%= table.concat(disp.context.requestpath, "-") %>">
+<body class="lang_<%=luci.i18n.context.lang%>" data-page="<%= pcdata(table.concat(disp.context.requestpath, "-")) %>">
 
 <p class="skiplink">
 <span id="skiplink1"><a href="#navigation"><%:Skip to navigation%></a></span>