From eef8406907cf516a98303b23f78410a41726a9f5 Mon Sep 17 00:00:00 2001
From: Jun Kuriyama <kuriyama@FreeBSD.org>
Date: Tue, 30 Oct 2001 07:26:27 +0000
Subject: [PATCH] Prevent cross-site-scripting by escaping input text.

Pointed out by:	"Benjamin Krueger" <roo@ufies.org>
Reference:	http://securityfocus.com/cgi-bin/archive.pl?id=1&mid=220101&start=2001-10-09&end=2001-10-15
---
 en/cgi/search.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/en/cgi/search.cgi b/en/cgi/search.cgi
index b866692513..28ab57dfc9 100755
--- a/en/cgi/search.cgi
+++ b/en/cgi/search.cgi
@@ -15,7 +15,7 @@
 # Disclaimer:
 #   This is pretty ugly in places.
 #
-# $FreeBSD: www/en/cgi/search.cgi,v 1.20 2000/12/28 13:37:51 wosch Exp $
+# $FreeBSD: www/en/cgi/search.cgi,v 1.21 2001/02/22 11:51:39 wosch Exp $
 
 
 $server_root = '/usr/local/www';
@@ -116,6 +116,7 @@ sub do_wais {
     else {
 	print "The archive <em>@AVAIL_source</em> contains ";
     }
+    @FORM_words = map { s/&/&amp;/g; s/</&lt;/g; s/>/&gt;/g; $_; } @FORM_words;
     print " the following items relevant to \`@FORM_words\':\n";
     print "<OL>\n";