luci-mod-system: sshkeys.js: prevent XSS through pubkey comments
authorJo-Philipp Wich <jo@mein.io>
Wed, 21 Sep 2022 12:47:41 +0000 (14:47 +0200)
committerJo-Philipp Wich <jo@mein.io>
Wed, 21 Sep 2022 12:49:49 +0000 (14:49 +0200)
Ensure to not display public key comments verbatim in order to prevent
injection of markup.

Reported-by: Eric McDonald <ericmcdonald@protonmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 944b55738e7f9685865d5298248b7fbd7380749e)

modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js

index a2f0bef9b4aff6e1f657a54018cb59ac6133660c..8b12b2311e4591cd5706ae951b1d629c1a04ea99 100644 (file)
@@ -112,7 +112,7 @@ function renderKeyItem(pubkey) {
                click: isReadonlyView ? null : removeKey,
                'data-key': pubkey.src
        }, [
-               E('strong', pubkey.comment || _('Unnamed key')), E('br'),
+               E('strong', [ pubkey.comment || _('Unnamed key') ]), E('br'),
                E('small', [
                        '%s, %s'.format(pubkey.type, pubkey.curve || _('%d Bit').format(pubkey.bits)),
                        pubkey.options ? E([], [