git.99rst.org / openwrt-luci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 5e9c736)
luci-mod-network: escape WiFi SSID on Scanning AP modal
authorChristian Marangi <redacted>
Thu, 12 Mar 2026 15:07:49 +0000 (16:07 +0100)
committerChristian Marangi <redacted>
Fri, 13 Mar 2026 18:15:53 +0000 (19:15 +0100)
After the ES2016 rework, a very old bug was reverted where the WiFi SSID was
treated as raw HTML and directly appended to DOM.

This might result in XSS vulnerability with specially crafted SSID from the
Access Point around.

This is only triggered on opening the modal as the normal wireless.js view
doesn't scan the Access Point.

To fix this and make it more clear that SSID must be always escaped, move the
SSID handling to a dedicated variable and use the document.createTextNode()
to escape it similar to how it's done in similar place like the
channel_analysis.js

Fixes: cdce600aaec6 ("luci-mod-network: give wireless.js ES2016 treatment and refactor")
Reported-by: Sasha Romijn <redacted>
Signed-off-by: Christian Marangi <redacted>
modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js patch | blob | history

diff --git a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js
index 269997497e450261476f9bd0d63caed295fdf34d..4d556a9dee1073b2dc9019a4812b2cc2f60554dd 100644 (file)
--- a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js
+++ b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js
@@ -2247,10 +2247,11 @@ return view.extend({
                                        const qm = res?.quality_max ?? 0;
                                        const q = (qv > 0 && qm > 0) ? Math.floor((100 / qm) * qv) : 0;
                                        const s = res.stale ? 'opacity:0.5' : '';
+                                       const ssid = (typeof res.ssid === 'string' && res.ssid.length > 0) ? document.createTextNode(`${res?.ssid}`) : null;
 
                                        rows.push([
                                                E('span', { 'style': s }, render_signal_badge(q, res?.signal, res?.noise)),
-                                               E('span', { 'style': s }, (typeof res.ssid === 'string' && res.ssid.length > 0) ? `${res?.ssid}` : E('em', _('hidden'))),
+                                               E('span', { 'style': s }, ssid ?? E('em', _('hidden'))),
                                                E('span', { 'style': s }, `${res?.channel}`),
                                                E('span', { 'style': s }, `${res?.mode}`),
                                                E('span', { 'style': s }, `${res?.bssid}`),
git clone https://git.99rst.org/PROJECT