From 8480081292f9be4c15301674dc5e46f57bb69ede Mon Sep 17 00:00:00 2001 From: Jun Kuriyama <kuriyama@FreeBSD.org> Date: Tue, 23 Apr 2002 17:15:40 +0000 Subject: [PATCH] Escape sort parameter from request when output HTML. --- en/cgi/query-pr-summary.cgi | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/en/cgi/query-pr-summary.cgi b/en/cgi/query-pr-summary.cgi index 05e4253e2b..294eb8e2d5 100755 --- a/en/cgi/query-pr-summary.cgi +++ b/en/cgi/query-pr-summary.cgi @@ -1,5 +1,7 @@ #!/usr/bin/perl -T -# $FreeBSD: www/en/cgi/query-pr-summary.cgi,v 1.35 2001/11/07 19:38:16 fenner Exp $ +# $FreeBSD: www/en/cgi/query-pr-summary.cgi,v 1.36 2002/03/22 15:38:24 fenner Exp $ + +sub escape($) { $_ = $_[0]; s/&/&/g; s/</</g; s/>/>/g; $_; } $html_mode = 1 if $ENV{'DOCUMENT_ROOT'}; $self_ref = $ENV{'SCRIPT_NAME'}; @@ -148,7 +150,7 @@ EOM # If someone does a multiple-variable query they will probably do weird things. $self_ref1 = $self_ref . '?'; -$self_ref1 .= 'sort=' . $input{'sort'} if $input{'sort'}; +$self_ref1 .= 'sort=' . escape($input{'sort'}) if $input{'sort'}; print '<P>You may view summaries by <A HREF="', $self_ref1, '">Severity</A>, '; $self_ref1 .= '&' if ($self_ref1 !~/\?$/); print '<A HREF="', $self_ref1, 'state=summary">State</A>, ';