Skip to content
Permalink
Browse files Browse the repository at this point in the history
luci-mod-system: sshkeys.js: prevent XSS through pubkey comments
Ensure to not display public key comments verbatim in order to prevent
injection of markup.

Reported-by: Eric McDonald <ericmcdonald@protonmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
  • Loading branch information
jow- committed Sep 21, 2022
1 parent 68453ff commit 944b557
Showing 1 changed file with 1 addition and 1 deletion.
Expand Up @@ -112,7 +112,7 @@ function renderKeyItem(pubkey) {
click: isReadonlyView ? null : removeKey,
'data-key': pubkey.src
}, [
E('strong', pubkey.comment || _('Unnamed key')), E('br'),
E('strong', [ pubkey.comment || _('Unnamed key') ]), E('br'),
E('small', [
'%s, %s'.format(pubkey.type, pubkey.curve || _('%d Bit').format(pubkey.bits)),
pubkey.options ? E([], [
Expand Down

0 comments on commit 944b557

Please sign in to comment.