Apply minetest.formspec_escape() to prevent formspec injection (H#143)
Blockhead
orwell96
parent
b905a8bf6d
commit
c0c6fcf00b
|
|
@ -804,10 +804,10 @@ function wagon:show_bordcom(pname)
|
||||||
local data = advtrains.wagons[self.id]
|
local data = advtrains.wagons[self.id]
|
||||||
|
|
||||||
local form = "size[11,9]label[0.5,0;AdvTrains Boardcom v0.1]"
|
local form = "size[11,9]label[0.5,0;AdvTrains Boardcom v0.1]"
|
||||||
form=form.."textarea[0.5,1.5;7,1;text_outside;"..attrans("Text displayed outside on train")..";"..(train.text_outside or "").."]"
|
form=form.."textarea[0.5,1.5;7,1;text_outside;"..attrans("Text displayed outside on train")..";"..(minetest.formspec_escape(train.text_outside or "")).."]"
|
||||||
form=form.."textarea[0.5,3;7,1;text_inside;"..attrans("Text displayed inside train")..";"..(train.text_inside or "").."]"
|
form=form.."textarea[0.5,3;7,1;text_inside;"..attrans("Text displayed inside train")..";"..(minetest.formspec_escape(train.text_inside or "")).."]"
|
||||||
form=form.."field[7.5,1.75;3,1;line;"..attrans("Line")..";"..(train.line or "").."]"
|
form=form.."field[7.5,1.75;3,1;line;"..attrans("Line")..";"..(minetest.formspec_escape(train.line or "")).."]"
|
||||||
form=form.."field[7.5,3.25;3,1;routingcode;"..attrans("Routingcode")..";"..(train.routingcode or "").."]"
|
form=form.."field[7.5,3.25;3,1;routingcode;"..attrans("Routingcode")..";"..(minetest.formspec_escape(train.routingcode or "")).."]"
|
||||||
--row 5 : train overview and autocoupling
|
--row 5 : train overview and autocoupling
|
||||||
if train.velocity==0 then
|
if train.velocity==0 then
|
||||||
form=form.."label[0.5,4.5;Train overview /coupling control:]"
|
form=form.."label[0.5,4.5;Train overview /coupling control:]"
|
||||||
|
|
|
||||||
|
|
@ -25,13 +25,13 @@ function atil.show_route_edit_form(pname, sigd, routeid)
|
||||||
if not route then return end
|
if not route then return end
|
||||||
|
|
||||||
local form = "size[9,10]label[0.5,0.2;Route overview]"
|
local form = "size[9,10]label[0.5,0.2;Route overview]"
|
||||||
form = form.."field[0.8,1.2;5.2,1;name;Route name;"..route.name.."]"
|
form = form.."field[0.8,1.2;5.2,1;name;Route name;"..minetest.formspec_escape(route.name).."]"
|
||||||
form = form.."button[5.5,0.9;1,1;setname;Set]"
|
form = form.."button[5.5,0.9;1,1;setname;Set]"
|
||||||
|
|
||||||
-- construct textlist for route information
|
-- construct textlist for route information
|
||||||
local tab = {}
|
local tab = {}
|
||||||
local function itab(t)
|
local function itab(t)
|
||||||
tab[#tab+1] = string.gsub(t, ",", " ")
|
tab[#tab+1] = minetest.formspec_escape(string.gsub(t, ",", " "))
|
||||||
end
|
end
|
||||||
itab("TCB "..sigd_to_string(sigd).." ("..tcbs.signal_name..") Route #"..routeid)
|
itab("TCB "..sigd_to_string(sigd).." ("..tcbs.signal_name..") Route #"..routeid)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -180,7 +180,7 @@ local function mktcbformspec(tcbs, btnpref, offset, pname)
|
||||||
ts = ildb.get_ts(tcbs.ts_id)
|
ts = ildb.get_ts(tcbs.ts_id)
|
||||||
end
|
end
|
||||||
if ts then
|
if ts then
|
||||||
form = form.."label[0.5,"..offset..";Side "..btnpref..": "..ts.name.."]"
|
form = form.."label[0.5,"..offset..";Side "..btnpref..": "..minetest.formspec_escape(ts.name).."]"
|
||||||
form = form.."button[0.5,"..(offset+0.5)..";5,1;"..btnpref.."_gotots;Show track section]"
|
form = form.."button[0.5,"..(offset+0.5)..";5,1;"..btnpref.."_gotots;Show track section]"
|
||||||
if ildb.may_modify_tcbs(tcbs) then
|
if ildb.may_modify_tcbs(tcbs) then
|
||||||
-- Note: the security check to prohibit those actions is located in database.lua in the corresponding functions.
|
-- Note: the security check to prohibit those actions is located in database.lua in the corresponding functions.
|
||||||
|
|
@ -315,7 +315,7 @@ function advtrains.interlocking.show_ts_form(ts_id, pname, sel_tcb)
|
||||||
if not ts_id then return end
|
if not ts_id then return end
|
||||||
|
|
||||||
local form = "size[10,10]label[0.5,0.5;Track Section Detail - "..ts_id.."]"
|
local form = "size[10,10]label[0.5,0.5;Track Section Detail - "..ts_id.."]"
|
||||||
form = form.."field[0.8,2;5.2,1;name;Section name;"..ts.name.."]"
|
form = form.."field[0.8,2;5.2,1;name;Section name;"..minetest.formspec_escape(ts.name).."]"
|
||||||
form = form.."button[5.5,1.7;1,1;setname;Set]"
|
form = form.."button[5.5,1.7;1,1;setname;Set]"
|
||||||
local hint
|
local hint
|
||||||
|
|
||||||
|
|
@ -334,7 +334,7 @@ function advtrains.interlocking.show_ts_form(ts_id, pname, sel_tcb)
|
||||||
local other_ts = ildb.get_ts(other_id)
|
local other_ts = ildb.get_ts(other_id)
|
||||||
if other_ts then
|
if other_ts then
|
||||||
if ildb.may_modify_ts(other_ts) then
|
if ildb.may_modify_ts(other_ts) then
|
||||||
form = form.."button[5.5,3;3.5,1;mklink;Join with "..other_ts.name.."]"
|
form = form.."button[5.5,3;3.5,1;mklink;Join with "..minetest.formspec_escape(other_ts.name).."]"
|
||||||
form = form.."button[9 ,3;0.5,1;cancellink;X]"
|
form = form.."button[9 ,3;0.5,1;cancellink;X]"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
@ -555,7 +555,7 @@ function advtrains.interlocking.show_signalling_form(sigd, pname, sel_rte)
|
||||||
if not tcbs.routes then tcbs.routes = {} end
|
if not tcbs.routes then tcbs.routes = {} end
|
||||||
|
|
||||||
local form = "size[7,10]label[0.5,0.5;Signal at "..minetest.pos_to_string(sigd.p).."]"
|
local form = "size[7,10]label[0.5,0.5;Signal at "..minetest.pos_to_string(sigd.p).."]"
|
||||||
form = form.."field[0.8,1.5;5.2,1;name;Signal name;"..tcbs.signal_name.."]"
|
form = form.."field[0.8,1.5;5.2,1;name;Signal name;"..minetest.formspec_escape(tcbs.signal_name).."]"
|
||||||
form = form.."button[5.5,1.2;1,1;setname;Set]"
|
form = form.."button[5.5,1.2;1,1;setname;Set]"
|
||||||
|
|
||||||
if tcbs.routeset then
|
if tcbs.routeset then
|
||||||
|
|
@ -566,13 +566,13 @@ function advtrains.interlocking.show_signalling_form(sigd, pname, sel_rte)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
form = form.."label[0.5,2.5;A route is requested from this signal:]"
|
form = form.."label[0.5,2.5;A route is requested from this signal:]"
|
||||||
form = form.."label[0.5,3.0;"..rte.name.."]"
|
form = form.."label[0.5,3.0;"..minetest.formspec_escape(rte.name).."]"
|
||||||
if tcbs.route_committed then
|
if tcbs.route_committed then
|
||||||
form = form.."label[0.5,3.5;Route has been set.]"
|
form = form.."label[0.5,3.5;Route has been set.]"
|
||||||
else
|
else
|
||||||
form = form.."label[0.5,3.5;Waiting for route to be set...]"
|
form = form.."label[0.5,3.5;Waiting for route to be set...]"
|
||||||
if tcbs.route_rsn then
|
if tcbs.route_rsn then
|
||||||
form = form.."label[0.5,4;"..tcbs.route_rsn.."]"
|
form = form.."label[0.5,4;"..minetest.formspec_escape(tcbs.route_rsn).."]"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
if not tcbs.route_auto then
|
if not tcbs.route_auto then
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@ local function show_stoprailform(pos, player)
|
||||||
form = form.."dropdown[0.5,3;2;doors;Left,Right,Closed;"..door_dropdown[stdata.doors].."]"
|
form = form.."dropdown[0.5,3;2;doors;Left,Right,Closed;"..door_dropdown[stdata.doors].."]"
|
||||||
form = form.."dropdown[3,3;1.5;reverse;---,Reverse;"..(stdata.reverse and 2 or 1).."]"
|
form = form.."dropdown[3,3;1.5;reverse;---,Reverse;"..(stdata.reverse and 2 or 1).."]"
|
||||||
|
|
||||||
form = form.."field[5,3.5;2,1;track;"..attrans("Track")..";"..stdata.track.."]"
|
form = form.."field[5,3.5;2,1;track;"..attrans("Track")..";"..minetest.formspec_escape(stdata.track).."]"
|
||||||
form = form.."field[5,4.5;2,1;wait;"..attrans("Stop Time")..";"..stdata.wait.."]"
|
form = form.."field[5,4.5;2,1;wait;"..attrans("Stop Time")..";"..stdata.wait.."]"
|
||||||
|
|
||||||
form = form.."textarea[0.5,4;4,2;ars;Trains stopping here (ARS rules);"..advtrains.interlocking.ars_to_text(stdata.ars).."]"
|
form = form.."textarea[0.5,4;4,2;ars;Trains stopping here (ARS rules);"..advtrains.interlocking.ars_to_text(stdata.ars).."]"
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ function ac.getform(pos, meta_p)
|
||||||
end
|
end
|
||||||
local sel = 1
|
local sel = 1
|
||||||
for n,_ in pairs(atlatc.envs) do
|
for n,_ in pairs(atlatc.envs) do
|
||||||
envs_asvalues[#envs_asvalues+1]=n
|
envs_asvalues[#envs_asvalues+1]=minetest.formspec_escape(n)
|
||||||
if n==env then
|
if n==env then
|
||||||
sel=#envs_asvalues
|
sel=#envs_asvalues
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,7 @@ minetest.register_craftitem("advtrains_luaautomation:pcnaming",{
|
||||||
pn=name
|
pn=name
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
minetest.show_formspec(pname, "atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of component (empty to clear);"..pn.."]")
|
minetest.show_formspec(pname, "atlatc_naming_"..minetest.pos_to_string(pos), "field[pn;Set name of component (empty to clear);"..minetest.formspec_escape(pn).."]")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end,
|
end,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue