Prevent cross-site-scripting by escaping input text.

Pointed out by:	"Benjamin Krueger" <roo@ufies.org>
Reference:	http://securityfocus.com/cgi-bin/archive.pl?id=1&mid=220101&start=2001-10-09&end=2001-10-15
This commit is contained in:
Jun Kuriyama 2001-10-30 07:26:27 +00:00
parent 45981a7b76
commit eef8406907
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/www/; revision=11073

View file

@ -15,7 +15,7 @@
# Disclaimer:
# This is pretty ugly in places.
#
# $FreeBSD: www/en/cgi/search.cgi,v 1.20 2000/12/28 13:37:51 wosch Exp $
# $FreeBSD: www/en/cgi/search.cgi,v 1.21 2001/02/22 11:51:39 wosch Exp $
$server_root = '/usr/local/www';
@ -116,6 +116,7 @@ sub do_wais {
else {
print "The archive <em>@AVAIL_source</em> contains ";
}
@FORM_words = map { s/&/&amp;/g; s/</&lt;/g; s/>/&gt;/g; $_; } @FORM_words;
print " the following items relevant to \`@FORM_words\':\n";
print "<OL>\n";