treewide: filter shell arguments through shellquote() where applicable

[project/luci.git] / applications / luci-app-vnstat / luasrc / view / vnstat.htm

diff --git a/applications/luci-app-vnstat/luasrc/view/vnstat.htm b/applications/luci-app-vnstat/luasrc/view/vnstat.htm
index d67f9b3..42d7d24 100644 (file)
--- a/applications/luci-app-vnstat/luasrc/view/vnstat.htm
+++ b/applications/luci-app-vnstat/luasrc/view/vnstat.htm
@@ -1,13 +1,6 @@
 <%#
-LuCI - Lua Configuration Interface
-Copyright 2010 Jo-Philipp Wich <xm@subsignal.org>
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
+ Copyright 2010 Jo-Philipp Wich <jow@openwrt.org>
+ Licensed to the public under the Apache License 2.0.
 -%>
 
 <%-
@@ -28,12 +21,13 @@ style = (style and #style > 0) and style or "s"
 -- render image
 --
 if iface then
-       style = style:gsub("[^%w]", "")
-       iface = iface:gsub("[^%w%.%-]", "")
-
        luci.http.prepare_content("image/png")
 
-       local png = io.popen("vnstati -i '%s' '-%s' -o -" % { iface, style })
+       local png = io.popen("vnstati -i %s -%s -o -" %{
+               utl.shellquote(iface),
+               utl.shellquote(style)
+       })
+
        luci.http.write(png:read("*a"))
        png:close()
 
@@ -63,7 +57,7 @@ dbdir = dbdir or "/var/lib/vnstat"
 
 <%+header%>
 
-<h2><a id="content" name="content"><%:VnStat Graphs%></a></h2>
+<h2 name="content"><%:VnStat Graphs%></h2>
 
 <form action="" method="get">
 
@@ -96,7 +90,7 @@ dbdir = dbdir or "/var/lib/vnstat"
 <%
        end
      end
-   end 
+   end
 %>
 
 <% if empty then %>