luci: escape html in group names for node_list

lwb1978 · lwb1978 · commit b1d311af97ae · 2025-12-26T00:19:23.000+08:00
diff --git a/luci-app-passwall/luasrc/view/passwall/node_list/node_list.htm b/luci-app-passwall/luasrc/view/passwall/node_list/node_list.htm
@@ -755,6 +755,12 @@
 			}
 		}
 	}
+
+	function escape_html(s) {
+		return s.replace(/[&<>"']/g, c => ({
+			"&":"&amp;", "<":"&lt;", ">":"&gt;", '"':"&quot;", "'":"&#39;"
+		}[c]));
+	}
 </script>
 
 <script type="text/template" id="nodes-table-template">
@@ -938,7 +944,7 @@
 
 				tab_ul_li_html +=
 					'<li group_name="' + group + '" id="tab.passwall.nodes.' + group + '" class="cbi-tab">' +
-						'<a onclick="this.blur(); return cbi_t_switch(\'passwall.nodes\', \'' + group + '\')" href="<%=REQUEST_URI%>?tab.passwall.nodes=' + group + '">' + group_name + " | " + "<font style='color: red'>" + group_nodes[group].length + '</font></a>' +
+						'<a onclick="this.blur(); return cbi_t_switch(\'passwall.nodes\', \'' + group + '\')" href="<%=REQUEST_URI%>?tab.passwall.nodes=' + group + '">' + escape_html(group_name) + " | " + "<font style='color: red'>" + group_nodes[group].length + '</font></a>' +
 					'</li>'
 				tab_content_html +=
 					'<div class="cbi-tabcontainer" id="container.passwall.nodes.' + group + '" style="display: none;">' +

Original file line number	Diff line number	Diff line change
`@@ -755,6 +755,12 @@`
`755`	`755`	`}`
`756`	`756`	`}`
`757`	`757`	`}`
	`758`	`+`
	`759`	`+ function escape_html(s) {`
	`760`	`+ return s.replace(/[&<>"']/g, c => ({`
	`761`	`+ "&":"&", "<":"<", ">":">", '"':""", "'":"'"`
	`762`	`+ }[c]));`
	`763`	`+ }`
`758`	`764`	`</script>`
`759`	`765`
`760`	`766`	`<script type="text/template" id="nodes-table-template">`
`@@ -938,7 +944,7 @@`
`938`	`944`
`939`	`945`	`tab_ul_li_html +=`
`940`	`946`	`'<li group_name="' + group + '" id="tab.passwall.nodes.' + group + '" class="cbi-tab">' +`
`941`		`- '<a onclick="this.blur(); return cbi_t_switch(\'passwall.nodes\', \'' + group + '\')" href="<%=REQUEST_URI%>?tab.passwall.nodes=' + group + '">' + group_name + " \| " + "<font style='color: red'>" + group_nodes[group].length + '</font></a>' +`
	`947`	`+ '<a onclick="this.blur(); return cbi_t_switch(\'passwall.nodes\', \'' + group + '\')" href="<%=REQUEST_URI%>?tab.passwall.nodes=' + group + '">' + escape_html(group_name) + " \| " + "<font style='color: red'>" + group_nodes[group].length + '</font></a>' +`
`942`	`948`	`'</li>'`
`943`	`949`	`tab_content_html +=`
`944`	`950`	`'<div class="cbi-tabcontainer" id="container.passwall.nodes.' + group + '" style="display: none;">' +`