From 8a34b991c0e005889616718c32edc3b4e7c5aeac Mon Sep 17 00:00:00 2001
From: Stephen Beaver <sbeaver@netgate.com>
Date: Tue, 19 Jan 2016 08:18:08 -0500
Subject: Add Javascript htmlchars() equivalent to dynamically created inputs
 Temporarily remove function that broke action icons

---
 src/usr/local/www/firewall_rules.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/usr/local/www/firewall_rules.php b/src/usr/local/www/firewall_rules.php
index f416353..6e57c92 100644
--- a/src/usr/local/www/firewall_rules.php
+++ b/src/usr/local/www/firewall_rules.php
@@ -761,7 +761,7 @@ events.push(function() {
 		$("#btnnewsep").prop('type' ,'button');
 
 		$("#btnnewsep").click(function() {
-			var septext = $('#newsep').val();
+			var septext = escapeHtml($('#newsep').val());
 			$('#ruletable > tbody:last >tr:last').remove();
 			$('#ruletable > tbody:last').append('<tr class="ui-sortable-handle">' +
 	            '<td bgcolor="#cce5ff" colspan="11">' + '<font color="#002699">' + septext + '</font></td>' +
@@ -769,13 +769,25 @@ events.push(function() {
 	            '</tr>');
 		});
     });
-
+/*
 	$(function(){
 		$('table').on('click','tr a',function(e){
 			e.preventDefault();
 			$(this).parents('tr').remove();
 		});
 	});
+*/
+	function escapeHtml(text) {
+		var map = {
+			'&': '&amp;',
+			'<': '&lt;',
+			'>': '&gt;',
+			'"': '&quot;',
+			"'": '&#039;'
+		};
+
+		return text.replace(/[&<>"']/g, function(m) { return map[m]; });
+	}
 });
 //]]>
 </script>
-- 
cgit v1.1