fixed cross-site scripting error

markstos · May 11, 2003 · ab3b4ad · ab3b4ad
1 parent b43e83c
commit ab3b4ad
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/CGI.pm b/CGI.pm
@@ -18,8 +18,8 @@ use Carp 'croak';
 # The most recent version and complete docs are available at:
 #   http://stein.cshl.org/WWW/software/CGI/
 
-$CGI::revision = '$Id: CGI.pm,v 1.112 2003-04-28 13:35:56 lstein Exp $';
-$CGI::VERSION='2.93';
+$CGI::revision = '$Id: CGI.pm,v 1.113 2003-05-11 22:53:25 lstein Exp $';
+$CGI::VERSION='2.95';
 
 # HARD-CODED LOCATION FOR FILE UPLOAD TEMPORARY FILES.
 # UNCOMMENT THIS ONLY IF YOU KNOW WHAT YOU'RE DOING.
@@ -1632,6 +1632,7 @@ sub startform {
            $action .= "?$ENV{QUERY_STRING}";
        }
     }
+    $action =~ s/\"/%22/g;  # fix cross-site scripting bug reported by obscure
     $action = qq(action="$action");
     my($other) = @other ? " @other" : '';
     $self->{'.parametersToAdd'}={};
@@ -1875,7 +1876,6 @@ END_OF_FUNC
 sub reset {
     my($self,@p) = self_or_default(@_);
     my($label,$value,@other) = rearrange(['NAME',['VALUE','LABEL']],@p);
-    warn "label = $label, value = $value";
     $label=$self->escapeHTML($label);
     $value=$self->escapeHTML($value,1);
     my ($name) = ' name=".reset"';

diff --git a/cgi_docs.html b/cgi_docs.html
@@ -7,7 +7,7 @@
 <BODY bgcolor="#FFFFFF">
 <H1><IMG SRC="examples/dna.small.gif" ALT="[logo]">
 CGI.pm - a Perl5 CGI Library</H1>
-Version 2.93, 4/28/2003, L. Stein
+Version 2.94, 4/28/2003, L. Stein
 <p>
 
 <H2>Abstract</H2> This perl 5 library uses objects to create Web
@@ -4775,6 +4775,11 @@ <H2><a name="bugs">Bug Reports</a></H2>
 <HR>
 
 <H2><A NAME="new">Revision History</A></H2>
+<h3>Version 2.94</h3>
+<ol>
+  <li>Fixed cross-site scripting bug reported by obscure.
+</ol>  
+
 <h3>Version 2.93</h3>
 <ol>
   <li>Fixed embarassing bug in mp1 support.
@@ -5828,6 +5833,6 @@ <H3>Bug fixes</H3>
 <a href="http://www.cshl.org/">Cold Spring Harbor Laboratory</a></ADDRESS>
 <P>
 <!-- hhmts start -->
-Last modified: Mon Apr 28 09:35:40 EDT 2003
+Last modified: Sun May 11 18:51:39 EDT 2003
 <!-- hhmts end -->
 </BODY> </HTML>