5cbd79d7e3
This calls striptags() on the hostname to prevent any XSS over the hostname. This should fix CVE-2021-33425 as far as I understood it. If someone adds some Javascript into system.@system[0].hostname it would have been directly added to the page, this prevents the problem. This can only be exploited by someone being able to modify the uci configuration, normally a user with such privileges could also just modify the webpage. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
|---|---|---|
| .. | ||
| luci-theme-bootstrap | ||
| luci-theme-material | ||
| luci-theme-openwrt | ||
| luci-theme-openwrt-2020 | ||