lua http: fix two xss vulnerabilities

(cherry picked from commit bf02b8dd211d5a52aa301a9a2ff4e73ed8195881) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

lua http: fix two xss vulnerabilities
(cherry picked from commit bf02b8dd211d5a52aa301a9a2ff4e73ed8195881) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
d8b8b9c9 · Ludovic Fauvet · Jean-Baptiste Kempf · 26787244 · d8b8b9c9 · d8b8b9c9
Commit d8b8b9c9 authored Apr 08, 2013 by Ludovic Fauvet Committed by Jean-Baptiste Kempf Apr 08, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

share/lua/http/requests/vlm_cmd.xml share/lua/http/requests/vlm_cmd.xml +1 -1

share/lua/intf/http.lua share/lua/intf/http.lua +2 -1

No files found.
--- a/share/lua/http/requests/vlm_cmd.xml
+++ b/share/lua/http/requests/vlm_cmd.xml
@@ -27,7 +27,7 @@
 if _GET["command"] then
  local msg = vlm:execute_command(_GET["command"])
  if msg.value then
-    print(msg.name,":",msg.value)
+    print(msg.name,":",vlc.strings.convert_xml_special_chars(msg.value))
  end
 else
 ?>No command<?vlc

--- a/share/lua/intf/http.lua
+++ b/share/lua/intf/http.lua
@@ -107,7 +107,8 @@ function callback_error(path,url,msg)
 <title>Error loading ]]..url..[[</title>
 </head>
 <body>
-<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information." or tostring(msg))..[[</pre>
+<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information."
+or vlc.strings.convert_xml_special_chars(tostring(msg)))..[[</pre>
 <p>
 <a href="http://www.videolan.org/">VideoLAN</a><br/>
 <a href="http://www.lua.org/manual/5.1/">Lua 5.1 Reference Manual</a>