mirror of
https://github.com/openwrt/luci.git
synced 2025-12-21 17:04:35 +04:00
15ca915da9
This calls striptags() on the hostname to prevent any XSS over the
hostname. This should fix CVE-2021-33425 as far as I understood it.
If someone adds some Javascript into system.@system[0].hostname it would
have been directly added to the page, this prevents the problem.
This can only be exploited by someone being able to modify the uci
configuration, normally a user with such privileges could also just
modify the webpage.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5cbd79d7e3)