monitor: prevent html injection with cgi.escape

stack/monitor/webfile-directory/settings.cgi.in

@@ -44,8 +44,8 @@ print "<form action=\"/index.cgi\" method=\"post\" class=\"pure-form-aligned\">"
 print "<input type=\"hidden\" name=\"posting-script\" value=\"{{ pwd }}/{{ this_file }}\">"
 for option in parser.options("public"):
   print "<div class=\"pure-control-group\">"
-  print "<label for=\"%s\">%s</label>"%(option, option)
-  print "<input type=\"text\" name=\"%s\" value=\"%s\">"%(option, parser.get('public', option))
+  print "<label for=\"%s\">%s</label>" % (cgi.escape(option, quote=True), cgi.escape(option))
+  print "<input type=\"text\" name=\"%s\" value=\"%s\">" % (cgi.escape(option, quote=True), cgi.escape(parser.get('public', option), quote=True))
   print "</div>"
 print "<div class=\"pure-controls\"><button type=\"submit\" class=\"pure-button \
  pure-button-primary\">Save</button></div></form>"
@@ -56,8 +56,8 @@ for section in parser.sections():
   if section != 'public':
     for option in parser.options(section):
       print "<div class=\"pure-control-group\">"
-      print "<label for=\"%s\">%s</label>"%(option, option)
-      print "<input type=\"text\" name=\"%s\" value=\"%s\" readonly>"%(option, parser.get(section, option))
+      print "<label for=\"%s\">%s</label>" % (cgi.escape(option, quote=True), cgi.escape(option))
+      print "<input type=\"text\" name=\"%s\" value=\"%s\" readonly>" %(cgi.escape(option, quote=True), cgi.escape(parser.get(section, option), quote=True))
       print "</div>"
 print "</form>"