luci-app-upnp: escape description field in output

Since underlying upnpd does not sanitize, ensure to HTML escape
UPnP lease description to prevent XSS.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich
2026-06-28 01:45:31 +02:00
parent 2a58b5c6c2
commit 08ce6fe643
2 changed files with 2 additions and 2 deletions
@@ -69,7 +69,7 @@ return baseclass.extend({
rule.extport,
rule.proto,
expires_str,
rule.descr,
'%h'.format(rule.descr),
E('button', {
'class': 'btn cbi-button-remove',
'click': L.bind(handleDelRule, this, rule.num)
@@ -65,7 +65,7 @@ return view.extend({
rule.extport,
rule.proto,
expires_str,
rule.descr,
'%h'.format(rule.descr),
E('button', {
'class': 'btn cbi-button-remove',
'click': L.bind(handleDelRule, this, rule.num)