From c0c6fcf00b7da9ae179ae070664b0655c10c37c5 Mon Sep 17 00:00:00 2001 From: Blockhead Date: Sat, 4 Jan 2020 18:33:57 +0100 Subject: Apply minetest.formspec_escape() to prevent formspec injection (H#143) --- advtrains_luaautomation/active_common.lua | 2 +- advtrains_luaautomation/pcnaming.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'advtrains_luaautomation') diff --git a/advtrains_luaautomation/active_common.lua b/advtrains_luaautomation/active_common.lua index c17c6e9..48f75ac 100644 --- a/advtrains_luaautomation/active_common.lua +++ b/advtrains_luaautomation/active_common.lua @@ -36,7 +36,7 @@ function ac.getform(pos, meta_p) end local sel = 1 for n,_ in pairs(atlatc.envs) do - envs_asvalues[#envs_asvalues+1]=n + envs_asvalues[#envs_asvalues+1]=minetest.formspec_escape(n) if n==env then sel=#envs_asvalues end diff --git a/advtrains_luaautomation/pcnaming.lua b/advtrains_luaautomation/pcnaming.lua index 427585d..ebb769f 100644 --- a/advtrains_luaautomation/pcnaming.lua +++ b/advtrains_luaautomation/pcnaming.lua @@ -52,7 +52,7 @@ minetest.register_craftitem("advtrains_luaautomation:pcnaming",{ pn=name end end - minetest.show_formspec(pname, "atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of component (empty to clear);"..pn.."]") + minetest.show_formspec(pname, "atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of component (empty to clear);"..minetest.formspec_escape(pn).."]") end end end, -- cgit v1.2.3