From c0c6fcf00b7da9ae179ae070664b0655c10c37c5 Mon Sep 17 00:00:00 2001
From: Blockhead <?>
Date: Sat, 4 Jan 2020 18:33:57 +0100
Subject: Apply minetest.formspec_escape() to prevent formspec injection
 (H#143)

---
 advtrains_luaautomation/active_common.lua | 2 +-
 advtrains_luaautomation/pcnaming.lua      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'advtrains_luaautomation')

diff --git a/advtrains_luaautomation/active_common.lua b/advtrains_luaautomation/active_common.lua
index c17c6e9..48f75ac 100644
--- a/advtrains_luaautomation/active_common.lua
+++ b/advtrains_luaautomation/active_common.lua
@@ -36,7 +36,7 @@ function ac.getform(pos, meta_p)
 	end
 	local sel = 1
 	for n,_ in pairs(atlatc.envs) do
-		envs_asvalues[#envs_asvalues+1]=n
+		envs_asvalues[#envs_asvalues+1]=minetest.formspec_escape(n)
 		if n==env then
 			sel=#envs_asvalues
 		end
diff --git a/advtrains_luaautomation/pcnaming.lua b/advtrains_luaautomation/pcnaming.lua
index 427585d..ebb769f 100644
--- a/advtrains_luaautomation/pcnaming.lua
+++ b/advtrains_luaautomation/pcnaming.lua
@@ -52,7 +52,7 @@ minetest.register_craftitem("advtrains_luaautomation:pcnaming",{
 						pn=name
 					end
 				end
-				minetest.show_formspec(pname, "atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of component (empty to clear);"..pn.."]")
+				minetest.show_formspec(pname, "atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of component (empty to clear);"..minetest.formspec_escape(pn).."]")
 			end
 		end
 	end,
-- 
cgit v1.2.3