From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 13 Jan 2023 19:52:17 +0000 (+0100)
Subject: luci-mod-system: fix potential stored XSS
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=0186d7eae0e123a409e9919a83fdfecc7945c984;p=project%2Fluci.git

luci-mod-system: fix potential stored XSS

Make sure to escape the key contents in the delete confirmation dialog.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
index df3e354e37..a1748ad990 100644
--- a/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
+++ b/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js
@@ -204,7 +204,7 @@ function removeKey(ev) {
 
 	L.showModal(_('Delete key'), [
 		E('div', _('Do you really want to delete the following SSH key?')),
-		E('pre', delkey),
+		E('pre', [ delkey ]),
 		E('div', { class: 'right' }, [
 			E('div', { class: 'btn', click: L.hideModal }, _('Cancel')),
 			' ',