Merge pull request #3967 from blenk92/development

Fix XSS-Vulnerability in configuration page
This commit is contained in:
Theo Arends 2018-10-03 20:04:19 +02:00 committed by GitHub
commit 42e8b193f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 1 deletions

View File

@ -789,6 +789,17 @@ void HandleWifiConfiguration()
HandleWifi(false);
}
String htmlEscape(String s)
{
s.replace("&", "&");
s.replace("<", "&lt;");
s.replace(">", "&gt;");
s.replace("\"", "&quot;");
s.replace("'", "&#x27;");
s.replace("/", "&#x2F;");
return s;
}
void HandleWifi(boolean scan)
{
if (HttpUser()) { return; }
@ -854,7 +865,7 @@ void HandleWifi(boolean scan)
String item = FPSTR(HTTP_LNK_ITEM);
String rssiQ;
rssiQ += quality;
item.replace(F("{v}"), WiFi.SSID(indices[i]));
item.replace(F("{v}"), htmlEscape(WiFi.SSID(indices[i])));
item.replace(F("{w}"), String(WiFi.channel(indices[i])));
item.replace(F("{r}"), rssiQ);
uint8_t auth = WiFi.encryptionType(indices[i]);