From c0c6fcf00b7da9ae179ae070664b0655c10c37c5 Mon Sep 17 00:00:00 2001
From: Blockhead <?>
Date: Sat, 4 Jan 2020 18:33:57 +0100
Subject: Apply minetest.formspec_escape() to prevent formspec injection
 (H#143)

---
 advtrains/wagons.lua | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'advtrains/wagons.lua')

diff --git a/advtrains/wagons.lua b/advtrains/wagons.lua
index 040c1e4..b13b8d8 100644
--- a/advtrains/wagons.lua
+++ b/advtrains/wagons.lua
@@ -804,10 +804,10 @@ function wagon:show_bordcom(pname)
 	local data = advtrains.wagons[self.id]
 	
 	local form = "size[11,9]label[0.5,0;AdvTrains Boardcom v0.1]"
-	form=form.."textarea[0.5,1.5;7,1;text_outside;"..attrans("Text displayed outside on train")..";"..(train.text_outside or "").."]"
-	form=form.."textarea[0.5,3;7,1;text_inside;"..attrans("Text displayed inside train")..";"..(train.text_inside or "").."]"
-	form=form.."field[7.5,1.75;3,1;line;"..attrans("Line")..";"..(train.line or "").."]"
-	form=form.."field[7.5,3.25;3,1;routingcode;"..attrans("Routingcode")..";"..(train.routingcode or "").."]"
+	form=form.."textarea[0.5,1.5;7,1;text_outside;"..attrans("Text displayed outside on train")..";"..(minetest.formspec_escape(train.text_outside or "")).."]"
+	form=form.."textarea[0.5,3;7,1;text_inside;"..attrans("Text displayed inside train")..";"..(minetest.formspec_escape(train.text_inside or "")).."]"
+	form=form.."field[7.5,1.75;3,1;line;"..attrans("Line")..";"..(minetest.formspec_escape(train.line or "")).."]"
+	form=form.."field[7.5,3.25;3,1;routingcode;"..attrans("Routingcode")..";"..(minetest.formspec_escape(train.routingcode or "")).."]"
 	--row 5 : train overview and autocoupling
 	if train.velocity==0 then
 		form=form.."label[0.5,4.5;Train overview /coupling control:]"
-- 
cgit v1.2.3