luci-mod-admin-full: escape display parameter

[project/luci.git] / modules / luci-mod-admin-full / luasrc / view / admin_system / packages.htm

diff --git a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
index 1bc9cac..88e0fff 100644 (file)
--- a/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
+++ b/modules/luci-mod-admin-full/luasrc/view/admin_system/packages.htm
@@ -69,7 +69,7 @@ end
                                <% if querypat then %>
                                <div class="cbi-value">
                                        <%:Displaying only packages containing%> <strong>"<%=pcdata(query)%>"</strong>
-                                       <input type="button" onclick="location.href='?display=<%=pcdata(display)%>'" href="#" class="cbi-button cbi-button-reset" style="margin-left:1em" value="<%:Reset%>" />
+                                       <input type="button" onclick="location.href='?display=<%=luci.http.urlencode(display)%>'" href="#" class="cbi-button cbi-button-reset" style="margin-left:1em" value="<%:Reset%>" />
                                        <br style="clear:both" />
                                </div>
                                <% end %>
@@ -102,7 +102,7 @@ end
                                        <label class="cbi-value-title"><%:Download and install package%>:</label>
                                        <div class="cbi-value-field">
                                                <input type="text" name="url" size="30" value="" />
-                                               <input class="cbi-button cbi-input-save" type="submit" name="exec" value="<%:OK%>" />
+                                               <input class="cbi-button cbi-input-save" type="submit" name="go" value="<%:OK%>" />
                                        </div>
                                </div>