mirror of https://github.com/arendst/Tasmota.git
Fix XSS-Vulnerability in configuration page
Add HTML entity encoding to the SSID of networks that can be found using the "Scan for wifi networks" function of the configuration page.
This commit is contained in:
parent
1707c73264
commit
cea848dec4
|
@ -789,6 +789,17 @@ void HandleWifiConfiguration()
|
|||
HandleWifi(false);
|
||||
}
|
||||
|
||||
String htmlEscape(String s)
|
||||
{
|
||||
s.replace("&", "&");
|
||||
s.replace("<", "<");
|
||||
s.replace(">", ">");
|
||||
s.replace("\"", """);
|
||||
s.replace("'", "'");
|
||||
s.replace("/", "/");
|
||||
return s;
|
||||
}
|
||||
|
||||
void HandleWifi(boolean scan)
|
||||
{
|
||||
if (HttpUser()) { return; }
|
||||
|
@ -854,7 +865,7 @@ void HandleWifi(boolean scan)
|
|||
String item = FPSTR(HTTP_LNK_ITEM);
|
||||
String rssiQ;
|
||||
rssiQ += quality;
|
||||
item.replace(F("{v}"), WiFi.SSID(indices[i]));
|
||||
item.replace(F("{v}"), htmlEscape(WiFi.SSID(indices[i])));
|
||||
item.replace(F("{w}"), String(WiFi.channel(indices[i])));
|
||||
item.replace(F("{r}"), rssiQ);
|
||||
uint8_t auth = WiFi.encryptionType(indices[i]);
|
||||
|
|
Loading…
Reference in New Issue