Skip to content

Commit a330e91

Browse files
committed
Escape untrusted params
1 parent cca627a commit a330e91

File tree

1 file changed

+12
-6
lines changed

1 file changed

+12
-6
lines changed

Diff for: man/view_man.cgi

+12-6
Original file line numberDiff line numberDiff line change
@@ -43,8 +43,8 @@ SECT: foreach $sec (@sects) {
4343
}
4444
}
4545
if (!$found) {
46-
print "<p><b>",&text('man_noentry', "<tt>$in{'page'}</tt>"),
47-
"</b><p>\n";
46+
print "<p><b>",&text('man_noentry',
47+
"<tt>".&html_escape($in{'page'})."</tt>"),"</b><p>\n";
4848
}
4949
else {
5050
if (&has_command($config{'man2html_path'})) {
@@ -86,13 +86,19 @@ else {
8686
$out =~ s/<A HREF="file:[^"]+">([^<]+)<\/a>/$1/ig;
8787
$out =~ s/<A HREF="view_man.cgi">/<A HREF=\"\">/i;
8888
}
89-
&show_view_table(&text('man_header', $in{'page'}, $in{'sec'}),
90-
$out);
89+
&show_view_table(
90+
&text('man_header',
91+
&html_escape($in{'page'}),
92+
&html_escape($in{'sec'})),
93+
$out);
9194
} else {
9295
$out =~ s/.\010//g;
9396
$out =~ s/^(man:\s*)?(re)?formatting.*//i;
94-
&show_view_table(&text('man_header', $in{'page'}, $in{'sec'}),
95-
"<pre>".&html_escape($out)."</pre>");
97+
&show_view_table(
98+
&text('man_header',
99+
&html_escape($in{'page'}),
100+
&html_escape($in{'sec'})),
101+
"<pre>".&html_escape($out)."</pre>");
96102
}
97103
}
98104

0 commit comments

Comments
 (0)