diff --git a/src/octoprint/server/views.py b/src/octoprint/server/views.py
index 0f1b8c70..6ec2337f 100644
--- a/src/octoprint/server/views.py
+++ b/src/octoprint/server/views.py
@@ -17,6 +17,8 @@ from octoprint.server import app, userManager, pluginManager, gettext, \
debug, LOCALES, VERSION, DISPLAY_VERSION, UI_API_KEY, BRANCH
from octoprint.settings import settings
+import re
+
from . import util
import logging
@@ -26,6 +28,9 @@ _templates = None
_plugin_names = None
_plugin_vars = None
+_valid_id_re = re.compile("[a-z_]+")
+_valid_div_re = re.compile("[a-zA-Z_-]+")
+
@app.route("/")
def index():
force_refresh = util.flask.cache_check_headers() or "_refresh" in request.values
@@ -466,6 +471,9 @@ def _process_template_config(name, implementation, rule, config=None, counter=1)
data["_div"] = rule["div"](name)
if "suffix" in data:
data["_div"] = data["_div"] + data["suffix"]
+ if not _valid_div_re.match(data["_div"]):
+ _logger.warn("Template config {} contains invalid div identifier {}, skipping it".format(name, data["_div"]))
+ return None
if not "template" in data:
data["template"] = rule["template"](name)
@@ -477,6 +485,7 @@ def _process_template_config(name, implementation, rule, config=None, counter=1)
data_bind = "allowBindings: true"
if "data_bind" in data:
data_bind = data_bind + ", " + data["data_bind"]
+ data_bind = data_bind.replace("\"", "\\\"")
data["data_bind"] = data_bind
data["_key"] = "plugin_" + name
diff --git a/src/octoprint/templates/dialogs/settings.jinja2 b/src/octoprint/templates/dialogs/settings.jinja2
index b8e79a5c..02ce5c48 100644
--- a/src/octoprint/templates/dialogs/settings.jinja2
+++ b/src/octoprint/templates/dialogs/settings.jinja2
@@ -20,7 +20,7 @@
class="{% if mark_active %}active{% set mark_active = False %}{% endif %} {% if "classes_link" in data %}{{ data.classes_link|join(' ') }}{% elif "classes" in data %}{{ data.classes|join(' ') }}{% endif %}"
{% if "styles_link" in data %} style="{{ data.styles_link|join(', ') }}" {% elif "styles" in data %} style="{{ data.styles|join(', ') }}" {% endif %}
>
- {{ entry }}
+ {{ entry|e }}
{% if "custom_bindings" not in data or data["custom_bindings"] %}{% endif %}
{% endif %}
diff --git a/src/octoprint/templates/dialogs/usersettings.jinja2 b/src/octoprint/templates/dialogs/usersettings.jinja2
index 00cbcc6c..be405c15 100644
--- a/src/octoprint/templates/dialogs/usersettings.jinja2
+++ b/src/octoprint/templates/dialogs/usersettings.jinja2
@@ -17,7 +17,7 @@
class="{% if mark_active %}active{% set mark_active = False %}{% endif %} {% if "classes_link" in data %}{{ data.classes_link|join(' ') }}{% elif "classes" in data %}{{ data.classes|join(' ') }}{% endif %}"
{% if "styles_link" in data %} style="{{ data.styles_link|join(', ') }}" {% elif "styles" in data %} style="{{ data.styles|join(', ') }}" {% endif %}
>
- {{ entry }}
+ {{ entry|e }}
{% if "custom_bindings" not in data or data["custom_bindings"] %}{% endif %}
{% endif %}
diff --git a/src/octoprint/templates/index.jinja2 b/src/octoprint/templates/index.jinja2
index 5196d969..2a316380 100644
--- a/src/octoprint/templates/index.jinja2
+++ b/src/octoprint/templates/index.jinja2
@@ -55,7 +55,7 @@
>
- {% if "icon" in data %} {% endif %}{{ entry }}
+ {% if "icon" in data %} {% endif %}{{ entry|e }}
{% if "template_header" in data %}
{% include data.template_header ignore missing %}
@@ -87,7 +87,7 @@
{% if "data_bind" in data %}data-bind="{{ data.data_bind }}"{% endif %}
{% if "styles_link" in data %} style="{{ data.styles_link|join(', ') }}" {% elif "styles" in data %} style="{{ data.styles|join(', ') }}" {% endif %}
>
- {{ entry }}
+ {{ entry|e }}
{% if "custom_bindings" not in data or data["custom_bindings"] %}{% endif %}
{% endfor %}
@@ -112,7 +112,7 @@