From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (fantadrom.bsd.lv [local]) by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 16641da2 for ; Thu, 21 Mar 2019 18:08:44 -0500 (EST) Date: Thu, 21 Mar 2019 18:08:44 -0500 (EST) X-Mailinglist: mandoc-source Reply-To: source@mandoc.bsd.lv MIME-Version: 1.0 From: schwarze@mandoc.bsd.lv To: source@mandoc.bsd.lv Subject: cvsweb: more XSS prevention; patch from afresh1@; also triggered by the X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Message-ID: Log Message: ----------- more XSS prevention; patch from afresh1@; also triggered by the report from Ezio Paglia Tags: ---- FreeBSD-cvsweb-2_0-branch Modified Files: -------------- cvsweb: cvsweb.cgi Revision Data ------------- Index: cvsweb.cgi =================================================================== RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v retrieving revision 3.119.2.15 retrieving revision 3.119.2.16 diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.15 -r3.119.2.16 --- cvsweb.cgi +++ cvsweb.cgi @@ -2842,7 +2842,7 @@ sub doLog($) { print $sel; print "\n"; $diffrev = $revdisplayorder[$#revdisplayorder]; - $diffrev = $input{"r1"} if (defined($input{"r1"})); + $diffrev = htmlquote($input{"r1"}) if (defined($input{"r1"})); print "\n"; print "
\n\n"; @@ -2853,7 +2853,7 @@ sub doLog($) { print $sel; print "\n"; $diffrev = $revdisplayorder[0]; - $diffrev = $input{"r2"} if (defined($input{"r2"})); + $diffrev = htmlquote($input{"r2"}) if (defined($input{"r2"})); print "\n"; print "\n"; @@ -2898,7 +2898,8 @@ sub doLog($) { next if ($_ eq "f"); next if ($_ eq "only_with_tag"); next if ($_ eq "logsort"); - print "\n" + printf "\n", + $_, htmlquote($input{$_}) if (defined($input{$_}) && (!defined($DEFAULTVALUE{$_}) || $input{$_} ne $DEFAULTVALUE{$_}) && $input{$_} ne ""); -- To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv