Commit c2194135 authored by Tristan Cavelier's avatar Tristan Cavelier Committed by Cédric Le Ninivin

monitor: prevent html injection with cgi.escape

parent 0a2158e8
...@@ -44,8 +44,8 @@ print "<form action=\"/index.cgi\" method=\"post\" class=\"pure-form-aligned\">" ...@@ -44,8 +44,8 @@ print "<form action=\"/index.cgi\" method=\"post\" class=\"pure-form-aligned\">"
print "<input type=\"hidden\" name=\"posting-script\" value=\"{{ pwd }}/{{ this_file }}\">" print "<input type=\"hidden\" name=\"posting-script\" value=\"{{ pwd }}/{{ this_file }}\">"
for option in parser.options("public"): for option in parser.options("public"):
print "<div class=\"pure-control-group\">" print "<div class=\"pure-control-group\">"
print "<label for=\"%s\">%s</label>"%(option, option) print "<label for=\"%s\">%s</label>" % (cgi.escape(option, quote=True), cgi.escape(option))
print "<input type=\"text\" name=\"%s\" value=\"%s\">"%(option, parser.get('public', option)) print "<input type=\"text\" name=\"%s\" value=\"%s\">" % (cgi.escape(option, quote=True), cgi.escape(parser.get('public', option), quote=True))
print "</div>" print "</div>"
print "<div class=\"pure-controls\"><button type=\"submit\" class=\"pure-button \ print "<div class=\"pure-controls\"><button type=\"submit\" class=\"pure-button \
pure-button-primary\">Save</button></div></form>" pure-button-primary\">Save</button></div></form>"
...@@ -56,8 +56,8 @@ for section in parser.sections(): ...@@ -56,8 +56,8 @@ for section in parser.sections():
if section != 'public': if section != 'public':
for option in parser.options(section): for option in parser.options(section):
print "<div class=\"pure-control-group\">" print "<div class=\"pure-control-group\">"
print "<label for=\"%s\">%s</label>"%(option, option) print "<label for=\"%s\">%s</label>" % (cgi.escape(option, quote=True), cgi.escape(option))
print "<input type=\"text\" name=\"%s\" value=\"%s\" readonly>"%(option, parser.get(section, option)) print "<input type=\"text\" name=\"%s\" value=\"%s\" readonly>" %(cgi.escape(option, quote=True), cgi.escape(parser.get(section, option), quote=True))
print "</div>" print "</div>"
print "</form>" print "</form>"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment