modules/freifunk: Prevent injections

diff --git a/modules/freifunk/luasrc/view/freifunk-services/services.htm b/modules/freifunk/luasrc/view/freifunk-services/services.htm
index 650ef43..735a432 100644 (file)
--- a/modules/freifunk/luasrc/view/freifunk-services/services.htm
+++ b/modules/freifunk/luasrc/view/freifunk-services/services.htm
@@ -64,10 +64,12 @@ end
        for k, line in ipairs(table) do
                local field = {}
                -- split line at # and |, 1=url, 2=proto, 3=description, 4=source
        for k, line in ipairs(table) do
                local field = {}
                -- split line at # and |, 1=url, 2=proto, 3=description, 4=source

-               local field = luci.util.split(line, "[#|]", split, true) %>
+               local field = luci.util.split(line, "[#|]", split, true)
+               url,descr,origin = pcdata(field[1]),pcdata(field[3]),pcdata(field[4])
+               %>

                                        <tr class="cbi-section-table-row cbi-rowstyle-<%=i%>">
                                        <tr class="cbi-section-table-row cbi-rowstyle-<%=i%>">

-                                               <td class="cbi-section-table-cell"><a href="<%=field[1]%>"><%=field[3]%></a></td>
-                                               <td class="cbi-section-table-cell"><%=field[4]%></td>
+                                               <td class="cbi-section-table-cell"><a href="<%=url%>"><%=descr%></a></td>
+                                               <td class="cbi-section-table-cell"><%=origin%></td>

                                        </tr>
        <% if i == 1 then i = 0 elseif i == 0 then i = 1 end %>
        <%end%>
                                        </tr>
        <% if i == 1 then i = 0 elseif i == 0 then i = 1 end %>
        <%end%>