Commit d8b8b9c9 authored by Ludovic Fauvet's avatar Ludovic Fauvet Committed by Jean-Baptiste Kempf

lua http: fix two xss vulnerabilities

(cherry picked from commit bf02b8dd211d5a52aa301a9a2ff4e73ed8195881)
Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 26787244
......@@ -27,7 +27,7 @@
if _GET["command"] then
local msg = vlm:execute_command(_GET["command"])
if msg.value then
print(msg.name,":",msg.value)
print(msg.name,":",vlc.strings.convert_xml_special_chars(msg.value))
end
else
?>No command<?vlc
......
......@@ -107,7 +107,8 @@ function callback_error(path,url,msg)
<title>Error loading ]]..url..[[</title>
</head>
<body>
<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information." or tostring(msg))..[[</pre>
<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information."
or vlc.strings.convert_xml_special_chars(tostring(msg)))..[[</pre>
<p>
<a href="http://www.videolan.org/">VideoLAN</a><br/>
<a href="http://www.lua.org/manual/5.1/">Lua 5.1 Reference Manual</a>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment