@@ -561,7 +561,7 @@ or start a new game by typing 'new game'\n" res.cookies.push([Cookie.new('gogar', session.to_s)]) end game = @@games[session] - command = req.query['command'] || "" + command = req.query['command'].gsub(/</,"&lt;").gsub(/>/,"&gt;") || "" res['Content-Type'] = "text/html" res.status = 200 answer = game.command(command) gogar.rb 170ef1f08126fbf1b3bc7256a4a55bcd51bfb06e John MacFarlane jgm@berkeley.edu http://github.com/jgm/gogar/commit/1079dbfd54ebf9d0f737759603ba101d0adebcae 1079dbfd54ebf9d0f737759603ba101d0adebcae 2008-11-10T07:42:27-08:00 2008-11-10T07:42:27-08:00 Filter input in webserver to prevent XSS attacks. ba73d3e90949acfe54502d7dfb64ee12c543265f John MacFarlane jgm@berkeley.edu