luci-app-openvpn: fix potential XSS in pageswitch template

Ensure to escape URL instance parameter displayed in the heading. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 25983b9fa572a640a7ecd077378df2790266cd61)
2023-01-13 21:16:58 +01:00 · 2023-01-13 21:16:58 +01:00 · 749268a2ca
commit 749268a2ca
parent aa7938d4cb
1 changed files with 1 additions and 1 deletions
--- a/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
+++ b/applications/luci-app-openvpn/luasrc/view/openvpn/pageswitch.htm
@ -9,7 +9,7 @@
 <div class="cbi-section">
 	<h3>
 		<a href="<%=url('admin/vpn/openvpn')%>"><%:Overview%></a> &#187;
-		<%=luci.i18n.translatef("Instance \"%s\"", self.instance)%>
+		<%=luci.i18n.translatef("Instance \"%s\"", pcdata(self.instance))%>
 	</h3>
 	<% if self.mode == "basic" then %>
 		<a href="<%=url('admin/vpn/openvpn/advanced', self.instance)%>"><%:Switch to advanced configuration%> &#187;</a><p/>