escape some params

acl/save_user.cgi

@@ -52,11 +52,11 @@ else {
 
 # Validate username, and check for a clash
 $in{'name'} =~ /^[A-z0-9\-\_\.\@]+$/ && $in{'name'} !~ /^\@/ ||
-	&error(&text('save_ename', $in{'name'}));
+	&error(&text('save_ename', &html_escape($in{'name'})));
 $in{'name'} eq 'webmin' && &error($text{'save_enamewebmin'});
 if (!$in{'old'} || $in{'old'} ne $in{'name'}) {
 	my $clash = &get_user($in{'name'});
-	$clash && &error(&text('save_edup', $in{'name'}));
+	$clash && &error(&text('save_edup', &html_escape($in{'name'})));
 	}
 !$access{'logouttime'} || $in{'logouttime_def'} ||
 	$in{'logouttime'} =~ /^\d+$/ || &error($text{'save_elogouttime'});

software/file_info.cgi

@@ -20,7 +20,8 @@ else {
 	}
 
 if (!%file) {
-	print "<b>",&text('file_notfound', "<tt>$f</tt>"),"</b><p>\n";
+	print "<b>",&text('file_notfound',
+			  "<tt>".&html_escape($f)."</tt>"),"</b><p>\n";
 	}
 else {
 	# display file info

software/search.cgi

@@ -34,7 +34,8 @@ if (@match == 1 && $in{'goto'}) {
 if (@match) {
 	@match = sort { lc($packages{$a,'name'}) cmp lc($packages{$b,'name'}) }
 		      @match;
-	print "<b>",&text('search_match', "<tt>$s</tt>"),"</b><p>\n";
+	print "<b>",&text('search_match',
+			  "<tt>".&html_escape($s)."</tt>"),"</b><p>\n";
 	print &ui_form_start("delete_packs.cgi", "post");
 	print &ui_hidden("search", $in{'search'});
 	@tds = ( "width=5" );

webmin/change_referers.cgi

@@ -10,7 +10,8 @@ require './webmin-lib.pl';
 $gconfig{'referer'} = $in{'referer'};
 @refs = split(/\s+/, $in{'referers'});
 foreach my $r (@refs) {
-	$r =~ /^[a-z0-9\.\-\_]+$/ || &error(&text('referers_ehost', $r));
+	$r =~ /^[a-z0-9\.\-\_]+$/ ||
+		&error(&text('referers_ehost', &html_escape($r)));
 	}
 $gconfig{'referers'} = join(" ", @refs);
 $gconfig{'referers_none'} = int(!$in{'referers_none'});