Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-app-dawn: fix custom markup

Browse source 
- Properly indent HTML markup
 - Replace div-based table markup with actual tables
 - Escape SSID, hostname and interface values to prevent potential XSS

Fixes: #4942
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich 2021-03-29 11:45:01 +02:00
parent 95b5c6cd64
commit 32f0ff25a2
2 changed files with 132 additions and 138 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_hearing_map.lua
View file

@ -8,6 +8,7 @@ function s.render(self, sid)
tpl.render_string([[ tpl.render_string([[
<% <%
local utl = require "luci.util" local utl = require "luci.util"
local xml = require "luci.xml"
local status = require "luci.tools.ieee80211" local status = require "luci.tools.ieee80211"
local stat = utl.ubus("dawn", "get_hearing_map", { }) local stat = utl.ubus("dawn", "get_hearing_map", { })
local name, macs local name, macs
@ -15,57 +16,52 @@ function s.render(self, sid)
for name, macs in pairs(stat) do for name, macs in pairs(stat) do
%> %>
<div class="cbi-section-node"> <div class="cbi-section-node">
<h3>SSID: <%= name %></h3> <h3>SSID: <%= xml.pcdata(name) %></h3>
<div class="table" id="dawn_hearing_map"> <table class="table" id="dawn_hearing_map">
<div class="tr table-titles"> <tr class="tr table-titles">
<div class="th">Client MAC</div> <th class="th">Client MAC</th>
<div class="th">AP MAC</div> <th class="th">AP MAC</th>
<div class="th">Frequency</div> <th class="th">Frequency</th>
<div class="th">HT Sup</div> <th class="th">HT Sup</th>
<div class="th">VHT Sup</div> <th class="th">VHT Sup</th>
<div class="th">Signal</div> <th class="th">Signal</th>
<div class="th">RCPI</div> <th class="th">RCPI</th>
<div class="th">RSNI</div> <th class="th">RSNI</th>
<div class="th">Channel Utilization</div> <th class="th">Channel Utilization</th>
<div class="th">Station connect to AP</div> <th class="th">Station connect to AP</th>
<div class="th">Score</div> <th class="th">Score</th>
</div> </tr>
<% <%
local mac, data local mac, data
for mac, data in pairs(macs) do for mac, data in pairs(macs) do
local mac2, data2 local mac2, data2
local count_loop = 0 local count_loop = 0
for mac2, data2 in pairs(data) do for mac2, data2 in pairs(data) do
%> %>
<div class="tr"> <tr class="tr">
<% if (count_loop == 0) then %> <td class="td"><%= (count_loop == 0) and mac or "" %></td>
<div class="td"><%= mac %></div> <td class="td"><%= mac2 %></td>
<% else %> <td class="td"><%= "%.3f" %( data2.freq / 1000 ) %> GHz Channel: <%= "%d" %( status.frequency_to_channel(data2.freq) ) %></td>
<div></div> <td class="td"><%= (data2.ht_capabilities == true and data2.ht_support == true) and "True" or "False" %></td>
<% end %> <td class="td"><%= (data2.vht_capabilities == true and data2.vht_support == true) and "True" or "False" %></td>
<div class="td"><%= mac2 %></div> <td class="td"><%= "%d" % data2.signal %></td>
<div class="td"><%= "%.3f" %( data2.freq / 1000 ) %> GHz Channel: <%= "%d" %( status.frequency_to_channel(data2.freq) ) %></div> <td class="td"><%= "%d" % data2.rcpi %></td>
<div class="td"><%= (data2.ht_capabilities == true and data2.ht_support == true) and "True" or "False" %></div> <td class="td"><%= "%d" % data2.rsni %></td>
<div class="td"><%= (data2.vht_capabilities == true and data2.vht_support == true) and "True" or "False" %></div> <td class="td"><%= "%.2f" % (data2.channel_utilization / 2.55) %> %</td>
<div class="td"><%= "%d" %data2.signal %></div> <td class="td"><%= "%d" % data2.num_sta %></td>
<div class="td"><%= "%d" %data2.rcpi %></div> <td class="td"><%= "%d" % data2.score %></td>
<div class="td"><%= "%d" %data2.rsni %></div> </tr>
<div class="td"><%= "%.2f" %(data2.channel_utilization / 2.55) %> %</div>
<div class="td"><%= "%d" %data2.num_sta %></div>
<div class="td"><%= "%d" %data2.score %></div>
</div>
<% <%
count_loop = count_loop + 1 count_loop = count_loop + 1
end end
end end
%> %>
</div> </table>
</div> </div>
<% <%
end end
%> %>
</div>
]]) ]])
end end

110
applications/luci-app-dawn/luasrc/model/cbi/dawn/dawn_network.lua
View file

@ -12,80 +12,78 @@ function s.render(self, sid)
local status = require "luci.tools.ieee80211" local status = require "luci.tools.ieee80211"
local utl = require "luci.util" local utl = require "luci.util"
local sys = require "luci.sys" local sys = require "luci.sys"
local xml = require "luci.xml"
local hosts = sys.net.host_hints() local hosts = sys.net.host_hints()
local stat = utl.ubus("dawn", "get_network", { }) local stat = utl.ubus("dawn", "get_network", { })
local name, macs local name, macs
for name, macs in pairs(stat) do for name, macs in pairs(stat) do
%> %>
<div class="cbi-section-node"> <div class="cbi-section-node">
<h3>SSID: <%= name %></h3> <h3>SSID: <%= xml.pcdata(name) %></h3>
<div class="table" id=network_overview_main"> <table class="table" id=network_overview_main">
<div class="tr table-titles"> <tr class="tr table-titles">
<div class="th">AP</div> <th class="th">AP</th>
<div class="th">Clients</div> <th class="th">Clients</th>
</div> </tr>
<% <%
local mac, data local mac, data
for mac, data in pairs(macs) do for mac, data in pairs(macs) do
%> %>
<div class="tr"> <tr class="tr">
<div class="td" style="vertical-align: top;"> <td class="td" style="vertical-align: top;">
<div class="table" id="ap-<%= mac %>"> <table class="table" id="ap-<%= mac %>">
<div class="tr table-titles"> <tr class="tr table-titles">
<div class="th">Hostname</div> <th class="th">Hostname</th>
<div class="th">Interface</div> <th class="th">Interface</th>
<div class="th">MAC</div> <th class="th">MAC</th>
<div class="th">Utilization</div> <th class="th">Utilization</th>
<div class="th">Frequency</div> <th class="th">Frequency</th>
<div class="th">Stations</div> <th class="th">Stations</th>
<div class="th">HT Sup</div> <th class="th">HT Sup</th>
<div class="th">VHT Sup</div> <th class="th">VHT Sup</th>
</div> </tr>
<div class="tr"> <tr class="tr">
<div class="td"><%= data.hostname %></div> <td class="td"><%= xml.pcdata(data.hostname) %></td>
<div class="td"><%= data.iface %></div> <td class="td"><%= xml.pcdata(data.iface) %></td>
<div class="td"><%= mac %></div> <td class="td"><%= mac %></td>
<div class="td"><%= "%.2f" %(data.channel_utilization / 2.55) %> %</div> <td class="td"><%= "%.2f" %(data.channel_utilization / 2.55) %> %</td>
<div class="td"><%= "%.3f" %( data.freq / 1000 ) %> GHz (Channel: <%= "%d" %( status.frequency_to_channel(data.freq) ) %>)</div> <td class="td"><%= "%.3f" %( data.freq / 1000 ) %> GHz (Channel: <%= "%d" %( status.frequency_to_channel(data.freq) ) %>)</td>
<div class="td"><%= "%d" %data.num_sta %></div> <td class="td"><%= "%d" % data.num_sta %></td>
<div class="td"><%= (data.ht_support == true) and "available" or "not available" %></div> <td class="td"><%= (data.ht_support == true) and "available" or "not available" %></td>
<div class="td"><%= (data.vht_support == true) and "available" or "not available" %></div> <td class="td"><%= (data.vht_support == true) and "available" or "not available" %></td>
</div> </tr>
</div> </table>
</div> </td>
<div class="td" style="vertical-align: top;"> <td class="td" style="vertical-align: top;">
<div class="table" id="clients-<%= mac %>"> <table class="table" id="clients-<%= mac %>">
<div class="tr table-titles"> <tr class="tr table-titles">
<div class="th">MAC</div> <th class="th">MAC</th>
<div class="th">HT</div> <th class="th">HT</th>
<div class="th">VHT</div> <th class="th">VHT</th>
<div class="th">Signal</div> <th class="th">Signal</th>
</div> </tr>
<% <%
local mac2, data2 local mac2, data2
for clientmac, clientvals in pairs(data) do for clientmac, clientvals in pairs(data) do
if (type(clientvals) == "table") then if (type(clientvals) == "table") then
%> %>
<div class="tr"> <tr class="tr">
<div class="td"><%= clientmac %></div> <td class="td"><%= clientmac %></td>
<div class="td"><%= (clientvals.ht == true) and "available" or "not available" %></div> <td class="td"><%= (clientvals.ht == true) and "available" or "not available" %></td>
<div class="td"><%= (clientvals.vht == true) and "available" or "not available" %></div> <td class="td"><%= (clientvals.vht == true) and "available" or "not available" %></td>
<div class="td"><%= "%d" %clientvals.signal %></div> <td class="td"><%= "%d" % clientvals.signal %></td>
</div> </tr>
<%
end
end
%>
</table>
</td>
</tr>
<% <%
end end
%> %>
<% </table>
end
%>
</div>
</div>
</div>
<%
end
%>
</div>
</div> </div>
<% <%
end end