From d0be8238074dd15254838e4af12069ff4bef67d2 Mon Sep 17 00:00:00 2001 From: Kahrl Date: Mon, 8 Dec 2014 07:47:51 +0100 Subject: [PATCH] Always escape user provided data in mainmenu fields --- builtin/mainmenu/tab_multiplayer.lua | 9 ++++++--- builtin/mainmenu/tab_server.lua | 8 ++++---- builtin/mainmenu/tab_simple_main.lua | 9 ++++++--- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/builtin/mainmenu/tab_multiplayer.lua b/builtin/mainmenu/tab_multiplayer.lua index c3a7d921e..b235eaecf 100644 --- a/builtin/mainmenu/tab_multiplayer.lua +++ b/builtin/mainmenu/tab_multiplayer.lua @@ -24,8 +24,10 @@ local function get_formspec(tabview, name, tabdata) "label[1,-0.25;".. fgettext("Favorites:") .. "]".. "label[1,4.25;".. fgettext("Address/Port") .. "]".. "label[9,2.75;".. fgettext("Name/Password") .. "]" .. - "field[1.25,5.25;5.5,0.5;te_address;;" ..core.setting_get("address") .."]" .. - "field[6.75,5.25;2.25,0.5;te_port;;" ..core.setting_get("remote_port") .."]" .. + "field[1.25,5.25;5.5,0.5;te_address;;" .. + core.formspec_escape(core.setting_get("address")) .."]" .. + "field[6.75,5.25;2.25,0.5;te_port;;" .. + core.formspec_escape(core.setting_get("remote_port")) .."]" .. "checkbox[1,3.6;cb_public_serverlist;".. fgettext("Public Serverlist") .. ";" .. dump(core.setting_getbool("public_serverlist")) .. "]" @@ -36,7 +38,8 @@ local function get_formspec(tabview, name, tabdata) retval = retval .. "button[9,4.95;2.5,0.5;btn_mp_connect;".. fgettext("Connect") .. "]" .. - "field[9.3,3.75;2.5,0.5;te_name;;" ..core.setting_get("name") .."]" .. + "field[9.3,3.75;2.5,0.5;te_name;;" .. + core.formspec_escape(core.setting_get("name")) .."]" .. "pwdfield[9.3,4.5;2.5,0.5;te_pwd;]" .. "textarea[9.3,0.25;2.5,2.75;;" diff --git a/builtin/mainmenu/tab_server.lua b/builtin/mainmenu/tab_server.lua index 154a54cc7..34706efbe 100644 --- a/builtin/mainmenu/tab_server.lua +++ b/builtin/mainmenu/tab_server.lua @@ -36,20 +36,20 @@ local function get_formspec(tabview, name, tabdata) "checkbox[0.5,1.15;cb_server_announce;".. fgettext("Public") .. ";" .. dump(core.setting_getbool("server_announce")) .. "]".. "field[0.8,3.2;3.5,0.5;te_playername;".. fgettext("Name") .. ";" .. - core.setting_get("name") .. "]" .. + core.formspec_escape(core.setting_get("name")) .. "]" .. "pwdfield[0.8,4.2;3.5,0.5;te_passwd;".. fgettext("Password") .. "]" local bind_addr = core.setting_get("bind_address") if bind_addr ~= nil and bind_addr ~= "" then retval = retval .. "field[0.8,5.2;2.25,0.5;te_serveraddr;".. fgettext("Bind Address") .. ";" .. - core.setting_get("bind_address") .."]" .. + core.formspec_escape(core.setting_get("bind_address")) .."]" .. "field[3.05,5.2;1.25,0.5;te_serverport;".. fgettext("Port") .. ";" .. - core.setting_get("port") .."]" + core.formspec_escape(core.setting_get("port")) .."]" else retval = retval .. "field[0.8,5.2;3.5,0.5;te_serverport;".. fgettext("Server Port") .. ";" .. - core.setting_get("port") .."]" + core.formspec_escape(core.setting_get("port")) .."]" end retval = retval .. diff --git a/builtin/mainmenu/tab_simple_main.lua b/builtin/mainmenu/tab_simple_main.lua index 0724acf87..b48e523f3 100644 --- a/builtin/mainmenu/tab_simple_main.lua +++ b/builtin/mainmenu/tab_simple_main.lua @@ -23,14 +23,17 @@ local function get_formspec(tabview, name, tabdata) retval = retval .. "label[8,0.5;".. fgettext("Name/Password") .. "]" .. - "field[0.25,3.25;5.5,0.5;te_address;;" ..core.setting_get("address") .."]" .. - "field[5.75,3.25;2.25,0.5;te_port;;" ..core.setting_get("remote_port") .."]" .. + "field[0.25,3.25;5.5,0.5;te_address;;" .. + core.formspec_escape(core.setting_get("address")) .."]" .. + "field[5.75,3.25;2.25,0.5;te_port;;" .. + core.formspec_escape(core.setting_get("remote_port")) .."]" .. "checkbox[8,-0.25;cb_public_serverlist;".. fgettext("Public Serverlist") .. ";" .. render_details .. "]" retval = retval .. "button[8,2.5;4,1.5;btn_mp_connect;".. fgettext("Connect") .. "]" .. - "field[8.75,1.5;3.5,0.5;te_name;;" ..core.setting_get("name") .."]" .. + "field[8.75,1.5;3.5,0.5;te_name;;" .. + core.formspec_escape(core.setting_get("name")) .."]" .. "pwdfield[8.75,2.3;3.5,0.5;te_pwd;]" --favourites