Apply minetest.formspec_escape() to prevent formspec injection (H#143)MT0.4

author: Blockhead <?> 2020-01-04 18:33:57 +0100
committer: orwell96 <orwell@bleipb.de> 2020-01-04 18:33:57 +0100
commit: c0c6fcf00b7da9ae179ae070664b0655c10c37c5 (patch)
tree: 344c5ed3de32ac8b1b4969b5e0dea8bb82de4257 /advtrains_interlocking/route_ui.lua
parent: b905a8bf6d753a80ab35615adb9694f8906d11d0 (diff)
download: advtrains-c0c6fcf00b7da9ae179ae070664b0655c10c37c5.tar.gz
advtrains-c0c6fcf00b7da9ae179ae070664b0655c10c37c5.tar.bz2
advtrains-c0c6fcf00b7da9ae179ae070664b0655c10c37c5.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/advtrains_interlocking/route_ui.lua b/advtrains_interlocking/route_ui.lua
index 4ddab0c..71fed09 100644
--- a/advtrains_interlocking/route_ui.lua
+++ b/advtrains_interlocking/route_ui.lua
@@ -25,13 +25,13 @@ function atil.show_route_edit_form(pname, sigd, routeid)
 	if not route then return end
 	
 	local form = "size[9,10]label[0.5,0.2;Route overview]"
-	form = form.."field[0.8,1.2;5.2,1;name;Route name;"..route.name.."]"
+	form = form.."field[0.8,1.2;5.2,1;name;Route name;"..minetest.formspec_escape(route.name).."]"
 	form = form.."button[5.5,0.9;1,1;setname;Set]"
 	
 	-- construct textlist for route information
 	local tab = {}
 	local function itab(t)
-		tab[#tab+1] = string.gsub(t, ",", " ")
+		tab[#tab+1] = minetest.formspec_escape(string.gsub(t, ",", " "))
 	end
 	itab("TCB "..sigd_to_string(sigd).." ("..tcbs.signal_name..") Route #"..routeid)
author	Blockhead <?>	2020-01-04 18:33:57 +0100
committer	orwell96 <orwell@bleipb.de>	2020-01-04 18:33:57 +0100
commit	c0c6fcf00b7da9ae179ae070664b0655c10c37c5 (patch)
tree	344c5ed3de32ac8b1b4969b5e0dea8bb82de4257 /advtrains_interlocking/route_ui.lua
parent	b905a8bf6d753a80ab35615adb9694f8906d11d0 (diff)
download	advtrains-c0c6fcf00b7da9ae179ae070664b0655c10c37c5.tar.gz advtrains-c0c6fcf00b7da9ae179ae070664b0655c10c37c5.tar.bz2 advtrains-c0c6fcf00b7da9ae179ae070664b0655c10c37c5.zip