From: Christian Marangi Date: Thu, 12 Mar 2026 15:07:49 +0000 (+0100) Subject: luci-mod-network: escape WiFi SSID on Scanning AP modal X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=068150ba5f524ef6b03817b258d31ec310053fd6;p=openwrt-luci.git luci-mod-network: escape WiFi SSID on Scanning AP modal After the ES2016 rework, a very old bug was reverted where the WiFi SSID was treated as raw HTML and directly appended to DOM. This might result in XSS vulnerability with specially crafted SSID from the Access Point around. This is only triggered on opening the modal as the normal wireless.js view doesn't scan the Access Point. To fix this and make it more clear that SSID must be always escaped, move the SSID handling to a dedicated variable and use the document.createTextNode() to escape it similar to how it's done in similar place like the channel_analysis.js Fixes: cdce600aaec6 ("luci-mod-network: give wireless.js ES2016 treatment and refactor") Reported-by: Sasha Romijn Signed-off-by: Christian Marangi --- diff --git a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js index 269997497e..4d556a9dee 100644 --- a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js +++ b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js @@ -2247,10 +2247,11 @@ return view.extend({ const qm = res?.quality_max ?? 0; const q = (qv > 0 && qm > 0) ? Math.floor((100 / qm) * qv) : 0; const s = res.stale ? 'opacity:0.5' : ''; + const ssid = (typeof res.ssid === 'string' && res.ssid.length > 0) ? document.createTextNode(`${res?.ssid}`) : null; rows.push([ E('span', { 'style': s }, render_signal_badge(q, res?.signal, res?.noise)), - E('span', { 'style': s }, (typeof res.ssid === 'string' && res.ssid.length > 0) ? `${res?.ssid}` : E('em', _('hidden'))), + E('span', { 'style': s }, ssid ?? E('em', _('hidden'))), E('span', { 'style': s }, `${res?.channel}`), E('span', { 'style': s }, `${res?.mode}`), E('span', { 'style': s }, `${res?.bssid}`),