From c0c6fcf00b7da9ae179ae070664b0655c10c37c5 Mon Sep 17 00:00:00 2001
From: Blockhead <?>
Date: Sat, 4 Jan 2020 18:33:57 +0100
Subject: Apply minetest.formspec_escape() to prevent formspec injection
 (H#143)

---
 advtrains_interlocking/route_ui.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'advtrains_interlocking/route_ui.lua')

diff --git a/advtrains_interlocking/route_ui.lua b/advtrains_interlocking/route_ui.lua
index 4ddab0c..71fed09 100644
--- a/advtrains_interlocking/route_ui.lua
+++ b/advtrains_interlocking/route_ui.lua
@@ -25,13 +25,13 @@ function atil.show_route_edit_form(pname, sigd, routeid)
 	if not route then return end
 	
 	local form = "size[9,10]label[0.5,0.2;Route overview]"
-	form = form.."field[0.8,1.2;5.2,1;name;Route name;"..route.name.."]"
+	form = form.."field[0.8,1.2;5.2,1;name;Route name;"..minetest.formspec_escape(route.name).."]"
 	form = form.."button[5.5,0.9;1,1;setname;Set]"
 	
 	-- construct textlist for route information
 	local tab = {}
 	local function itab(t)
-		tab[#tab+1] = string.gsub(t, ",", " ")
+		tab[#tab+1] = minetest.formspec_escape(string.gsub(t, ",", " "))
 	end
 	itab("TCB "..sigd_to_string(sigd).." ("..tcbs.signal_name..") Route #"..routeid)
 	
-- 
cgit v1.2.3