Change the default output of pkg.php lists to be encoded before display. Preserve the old behavior as an option in case a package needs it (I didn't see any current ones that appeared to rely on the behavior, however)

1 files changed, 9 insertions, 4 deletions

diff --git a/src/usr/local/www/pkg.php b/src/usr/local/www/pkg.php
index 2a34885..c06d613 100755
--- a/src/usr/local/www/pkg.php
+++ b/src/usr/local/www/pkg.php
@@ -515,18 +515,23 @@ if ($savemsg) {
 					} else if ($column['type'] == "interface") {
 						echo $column['prefix'] . $iflist[$fieldname] . $column['suffix'];
 					} else {
+						$display_text = "";
 						#Check if columnitem has an encoding field declared
 						if ($column['encoding'] == "base64") {
-							echo $column['prefix'] . base64_decode($fieldname) . $column['suffix'];
+							$display_text = $column['prefix'] . base64_decode($fieldname) . $column['suffix'];
 						#Check if there is a custom info to show when $fieldname is not empty
 						} else if ($column['listmodeon'] && $fieldname != "") {
-							echo $column['prefix'] . gettext($column['listmodeon']). $column['suffix'];
+							$display_text = $column['prefix'] . gettext($column['listmodeon']). $column['suffix'];
 						#Check if there is a custom info to show when $fieldname is empty
 						} else if ($column['listmodeoff'] && $fieldname == "") {
-							echo $column['prefix'] .gettext($column['listmodeoff']). $column['suffix'];
+							$display_text = $column['prefix'] .gettext($column['listmodeoff']). $column['suffix'];
 						} else {
-							echo $column['prefix'] . $fieldname ." ". $column['suffix'];
+							$display_text = $column['prefix'] . $fieldname ." ". $column['suffix'];
 						}
+						if (!isset($column['allow_html'])) {
+							$display_text = htmlspecialchars($display_text);
+						}
+						echo $display_text;
 					}
 ?>
 					</td>