treewide: avoid double-escaping CBI section labels

Since the section labels are already HTML-escaped implicitely by the striptags() function, we must not escape them again in attr() or ifattr(). Fixes: #2524 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-02-12 08:32:02 +01:00 · 2019-02-12 08:32:02 +01:00 · eda8f02dac
commit eda8f02dac
parent 4141243762
4 changed files with 5 additions and 5 deletions
--- a/applications/luci-app-adblock/luasrc/view/adblock/blocklist.htm
+++ b/applications/luci-app-adblock/luasrc/view/adblock/blocklist.htm
@ -27,7 +27,7 @@ local anonclass  = (not self.anonymous or self.sectiontitle) and "named" or "ano
 				for i, k in ipairs(self:cfgsections()) do
 					section = k
 					local sectionname  = striptags((type(self.sectiontitle) == "function") and self:sectiontitle(section) or k)
-					local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname)
+					local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname, true)
 					isempty = false
 					scope = { valueheader = "cbi/cell_valueheader", valuefooter = "cbi/cell_valuefooter" }
 			-%>
--- a/applications/luci-app-banip/luasrc/view/banip/sourcelist.htm
+++ b/applications/luci-app-banip/luasrc/view/banip/sourcelist.htm
@ -27,7 +27,7 @@ local anonclass  = (not self.anonymous or self.sectiontitle) and "named" or "ano
 				for i, k in ipairs(self:cfgsections()) do
 					section = k
 					local sectionname  = striptags((type(self.sectiontitle) == "function") and self:sectiontitle(section) or k)
-					local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname)
+					local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname, true)
 					isempty = false
 					scope = { valueheader = "cbi/cell_valueheader", valuefooter = "cbi/cell_valuefooter" }
 			-%>
--- a/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm
+++ b/modules/luci-base/luasrc/view/cbi/cell_valueheader.htm
@ -6,7 +6,7 @@
 <div class="td cbi-value-field<% if self.error and self.error[section] then %> cbi-value-error<% end %>"<%=
 	attr("data-name", self.option) ..
 	ifattr(ftype and #ftype > 0, "data-type", ftype) ..
-	ifattr(title and #title > 0, "data-title", title) ..
+	ifattr(title and #title > 0, "data-title", title, true) ..
-	ifattr(descr and #descr > 0, "data-description", descr)
+	ifattr(descr and #descr > 0, "data-description", descr, true)
 %>>
 <div id="cbi-<%=self.config.."-"..section.."-"..self.option%>" data-index="<%=self.index%>" data-depends="<%=pcdata(self:deplist2json(section))%>">
--- a/modules/luci-base/luasrc/view/cbi/tblsection.htm
+++ b/modules/luci-base/luasrc/view/cbi/tblsection.htm
@ -127,7 +127,7 @@ end
 				section = k
 				local sectionname = striptags((type(self.sectiontitle) == "function") and self:sectiontitle(section) or k)
-				local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname)
+				local sectiontitle = ifattr(sectionname and (not self.anonymous or self.sectiontitle), "data-title", sectionname, true)
 				local colorclass = (self.extedit or self.rowcolors) and rowstyle() or ""
 				local scope = {
 					valueheader = "cbi/cell_valueheader",