From 285a7cacc39352e09f1d74fc115f1444d93026f8 Mon Sep 17 00:00:00 2001
From: Kroese <kroese@users.noreply.github.com>
Date: Sat, 20 Jan 2024 16:29:42 +0100
Subject: [PATCH 1/6] fix: Escape HTML

---
 src/reset.sh | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/reset.sh b/src/reset.sh
index abdbb71b..6740cd89 100644
--- a/src/reset.sh
+++ b/src/reset.sh
@@ -42,11 +42,25 @@ VERS=$(qemu-system-x86_64 --version | head -n 1 | cut -d '(' -f 1)
 
 # Helper functions
 
+escape () {
+    local s
+    s=${1//&/\&amp;}
+    s=${s//</\&lt;}
+    s=${s//>/\&gt;}
+    s=${s//'"'/\&quot;}
+    printf -- %s "$s"
+    return 0
+}
+
 html()
 {
-    local title="<title>$APP</title>"
+    local title
+    local body
+    
+    title="$(escape $APP)"
+    title="<title>$title</title>"
     
-    local body="$1"
+    body="$(escape $1)"
     if [[ "$body" == *"..." ]]; then
       body="<p class=\"loading\">${body/.../}</p>"
     fi

From 12a082ae4b3ef7deadbf5e19776adb0a2c32e9cc Mon Sep 17 00:00:00 2001
From: Kroese <kroese@users.noreply.github.com>
Date: Sat, 20 Jan 2024 16:34:33 +0100
Subject: [PATCH 2/6] fix: Escape HTML

---
 src/reset.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/reset.sh b/src/reset.sh
index 6740cd89..9a5400d4 100644
--- a/src/reset.sh
+++ b/src/reset.sh
@@ -56,11 +56,11 @@ html()
 {
     local title
     local body
-    
-    title="$(escape $APP)"
+
+    title=$(escape "$APP")
     title="<title>$title</title>"
-    
-    body="$(escape $1)"
+
+    body=$(escape "$1")
     if [[ "$body" == *"..." ]]; then
       body="<p class=\"loading\">${body/.../}</p>"
     fi

From 1d848cee9eb7beaf2445fe6fc3b851ef668c5244 Mon Sep 17 00:00:00 2001
From: Kroese <kroese@users.noreply.github.com>
Date: Sat, 20 Jan 2024 16:35:59 +0100
Subject: [PATCH 3/6] fix: Quotes

---
 src/network.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/network.sh b/src/network.sh
index d41e9164..437f76eb 100644
--- a/src/network.sh
+++ b/src/network.sh
@@ -168,7 +168,7 @@ configureNAT() {
   update-alternatives --set iptables /usr/sbin/iptables-legacy > /dev/null
   update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy > /dev/null
 
-  exclude="$(getPorts "$HOST_PORTS")"
+  exclude=$(getPorts "$HOST_PORTS")
 
   iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE
   # shellcheck disable=SC2086

From 5d2d40de4d831454bc4e2722eb80e715978fa509 Mon Sep 17 00:00:00 2001
From: Kroese <kroese@users.noreply.github.com>
Date: Sat, 20 Jan 2024 16:38:06 +0100
Subject: [PATCH 4/6] fix: Quotes

---
 src/disk.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/disk.sh b/src/disk.sh
index c5d6d814..cd0ca025 100644
--- a/src/disk.sh
+++ b/src/disk.sh
@@ -65,8 +65,8 @@ getSize() {
   local DISK_FILE=$1
   local DISK_EXT DISK_FMT
 
-  DISK_EXT="$(echo "${DISK_FILE//*./}" | sed 's/^.*\.//')"
-  DISK_FMT="$(ext2fmt "$DISK_EXT")"
+  DISK_EXT=$(echo "${DISK_FILE//*./}" | sed 's/^.*\.//')
+  DISK_FMT=$(ext2fmt "$DISK_EXT")
 
   case "${DISK_FMT,,}" in
     raw)

From 3f5d8bf5e886c96c0d52096a1f6e579a635d8581 Mon Sep 17 00:00:00 2001
From: Kroese <kroese@users.noreply.github.com>
Date: Sat, 20 Jan 2024 16:41:25 +0100
Subject: [PATCH 5/6] fix: Quotes

---
 src/disk.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/disk.sh b/src/disk.sh
index cd0ca025..0a28f6aa 100644
--- a/src/disk.sh
+++ b/src/disk.sh
@@ -378,7 +378,7 @@ addDisk () {
     else
       PREV_FMT="qcow2"
     fi
-    PREV_EXT="$(fmt2ext "$PREV_FMT")"
+    PREV_EXT=$(fmt2ext "$PREV_FMT")
 
     if [ -f "$DISK_BASE.$PREV_EXT" ] ; then
       convertDisk "$DISK_BASE.$PREV_EXT" "$PREV_FMT" "$DISK_FILE" "$DISK_FMT" "$DISK_BASE" "$DISK_DESC" "$FS" || exit $?
@@ -441,7 +441,7 @@ if [ -z "$DISK_FMT" ]; then
   fi
 fi
 
-DISK_EXT="$(fmt2ext "$DISK_FMT")" || exit $?
+DISK_EXT=$(fmt2ext "$DISK_FMT")
 
 if [ -z "$ALLOCATE" ]; then
   if [[ "${DISK_FMT,,}" == "raw" ]]; then

From b72da1aab250b83d8d5a3edd023ffd9bb38fb601 Mon Sep 17 00:00:00 2001
From: Kroese <kroese@users.noreply.github.com>
Date: Sat, 20 Jan 2024 16:46:27 +0100
Subject: [PATCH 6/6] fix: Escape HTML

---
 src/reset.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/reset.sh b/src/reset.sh
index 9a5400d4..17b0d585 100644
--- a/src/reset.sh
+++ b/src/reset.sh
@@ -56,9 +56,11 @@ html()
 {
     local title
     local body
+    local footer
 
     title=$(escape "$APP")
     title="<title>$title</title>"
+    footer=$(escape "$FOOTER1")
 
     body=$(escape "$1")
     if [[ "$body" == *"..." ]]; then
@@ -75,7 +77,7 @@ html()
     HTML="${HTML/\[1\]/$title}"
     HTML="${HTML/\[2\]/$script}"
     HTML="${HTML/\[3\]/$body}"
-    HTML="${HTML/\[4\]/$FOOTER1}"
+    HTML="${HTML/\[4\]/$footer}"
     HTML="${HTML/\[5\]/$FOOTER2}"
 
     echo "$HTML" > "$PAGE"