From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 13 Jan 2023 20:16:58 +0000 (+0100)
Subject: luci-app-openvpn: fix potential XSS in pageswitch template
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=749268a2cad4a08722e30f66a578e254885f450f;p=project%2Fluci.git

luci-app-openvpn: fix potential XSS in pageswitch template

Ensure to escape URL instance parameter displayed in the heading.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 25983b9fa572a640a7ecd077378df2790266cd61)
---

diff --git a/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm b/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
index 0792763085..c464ef4781 100644
--- a/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
+++ b/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
@@ -9,7 +9,7 @@
 <div class="cbi-section">
 	<h3>
 		<a href="<%=url('admin/vpn/openvpn')%>"><%:Overview%></a> &#187;
-		<%=luci.i18n.translatef("Instance \"%s\"", self.instance)%>
+		<%=luci.i18n.translatef("Instance \"%s\"", pcdata(self.instance))%>
 	</h3>
 	<% if self.mode == "basic" then %>
 		<a href="<%=url('admin/vpn/openvpn/advanced', self.instance)%>"><%:Switch to advanced configuration%> &#187;</a><p/>