Skip to content

Commit

Permalink
Fix cross-site scripting problem with user name display.
Browse files Browse the repository at this point in the history
  • Loading branch information
@benmwebb
benmwebb committed Sep 23, 2015
1 parent d9e2d0e commit baf25cd
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
2 changes: 1 addition & 1 deletion perl/saliweb/frontend.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -832,7 +832,7 @@ sub get_header {
"Logout");
unshift @$navigation_links,
$q->a({-href=>"https://$web_server/scgi/server.cgi"},
"Current User:$user_name");
"Current User: " . $q->escapeHTML($user_name));
} else {
unshift @$navigation_links,
$q->a({-href=>"https://$web_server/scgi/server.cgi"},
Expand Down
4 changes: 2 additions & 2 deletions test/frontend/frontend.pl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,10 +410,10 @@ END
'header with anonymous user');

$self->{'user_info'} = 'foo';
$self->{'user_name'} = 'testuser';
$self->{'user_name'} = '<foo>testuser';
like($self->get_header,
'/<a href="https:\/\/modbase\.compbio\.ucsf\.edu\/scgi\/' .
'server\.cgi">Current User:testuser<\/a>.*' .
'server\.cgi">Current User: &lt;foo&gt;testuser<\/a>.*' .
'<a href="https:\/\/modbase\.compbio\.ucsf\.edu\/scgi\/' .
'server\.cgi\?logout=true">Logout<\/a>/s',
' with logged-in user');
Expand Down

0 comments on commit baf25cd

Please sign in to comment.