From a79f42f4da049db99251db76ce4897446fc1542e Mon Sep 17 00:00:00 2001
From: luukas <lukasdoesdev@gmail.com>
Date: Wed, 2 Jun 2021 21:47:08 +0300
Subject: [PATCH] Escape logfile output, fixes weird formatting and remote code
 execution vulnerability

---
 app/classes/web/ajax_handler.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/classes/web/ajax_handler.py b/app/classes/web/ajax_handler.py
index 0796527e..0f0cdb4c 100644
--- a/app/classes/web/ajax_handler.py
+++ b/app/classes/web/ajax_handler.py
@@ -5,6 +5,7 @@ import tornado.escape
 import bleach
 import os
 import shutil
+import html
 
 from app.classes.shared.console import console
 from app.classes.shared.models import Users, installer
@@ -68,7 +69,7 @@ class AjaxHandler(BaseHandler):
 
             for d in data:
                 try:
-                    line = helper.log_colors(d)
+                    line = helper.log_colors(html.escape(d))
                     self.write('{}<br />'.format(line))
                     # self.write(d.encode("utf-8"))