Christian Marangi 068150ba5f luci-mod-network: escape WiFi SSID on Scanning AP modal ...

After the ES2016 rework, a very old bug was reverted where the WiFi SSID was
treated as raw HTML and directly appended to DOM.

This might result in XSS vulnerability with specially crafted SSID from the
Access Point around.

This is only triggered on opening the modal as the normal wireless.js view
doesn't scan the Access Point.

To fix this and make it more clear that SSID must be always escaped, move the
SSID handling to a dedicated variable and use the document.createTextNode()
to escape it similar to how it's done in similar place like the
channel_analysis.js

Fixes: cdce600aae ("luci-mod-network: give wireless.js ES2016 treatment and refactor")
Reported-by: Sasha Romijn <sct@mxsasha.eu>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>

2026-03-13 19:15:53 +01:00

..

luci-base

Translated using Weblate (Spanish)

2026-03-12 14:50:31 +02:00

luci-compat

luci-compat: CBI skip fields that do not satisfy depends

2025-12-03 21:51:32 +01:00

luci-lua-runtime

luci-lua-runtime: Update sys.net.conntrack() to use to conntrack tool

2025-10-02 15:43:16 +02:00

luci-mod-admin-full

…

luci-mod-battstatus

Translated using Weblate (Irish)

2026-03-09 22:22:45 +02:00

luci-mod-dashboard

Translated using Weblate (Irish)

2026-03-09 22:22:45 +02:00

luci-mod-dsl

Translated using Weblate (Irish)

2026-03-09 22:22:45 +02:00

luci-mod-network

luci-mod-network: escape WiFi SSID on Scanning AP modal

2026-03-13 19:15:53 +01:00

luci-mod-rpc

…

luci-mod-status

luci-mod-status: add null check

2026-02-19 01:16:35 +01:00

luci-mod-system

luci-mod-system: change regex to please jsmin

2026-02-16 02:49:37 +01:00