Escape hostname to prevent XSS

Signed-off-by: yubiuser <github@yubiuser.dev>
2026-04-25 03:10:18 +01:00 · 2025-04-11 09:34:02 +02:00
parent 7433144b63
commit 6e4a17d8b3
1 changed files with 14 additions and 0 deletions
--- a/scripts/lua/header.lp
+++ b/scripts/lua/header.lp
@@ -40,6 +40,20 @@ function in_array (val, tab)
    return false
 end

+-- Function to escape HTML characters
+function escape_html(str)
+    -- Replace special characters with HTML entities
+    str = str:gsub("&", "&amp;")
+    str = str:gsub("<", "&lt;")
+    str = str:gsub(">", "&gt;")
+    str = str:gsub('"', "&quot;")
+    str = str:gsub("'", "&apos;")
+    return str
+end
+
+-- Sanitize hostname
+hostname = escape_html(hostname)
+
 -- Variable to check if user is already authenticated
 is_authenticated = mg.request_info.is_authenticated