Skip to content

Commit c2d4a90

Browse files
committed
escape some params
1 parent f670603 commit c2d4a90

File tree

4 files changed

+8
-5
lines changed

4 files changed

+8
-5
lines changed

Diff for: acl/save_user.cgi

+2-2
Original file line numberDiff line numberDiff line change
@@ -52,11 +52,11 @@ else {
5252

5353
# Validate username, and check for a clash
5454
$in{'name'} =~ /^[A-z0-9\-\_\.\@]+$/ && $in{'name'} !~ /^\@/ ||
55-
&error(&text('save_ename', $in{'name'}));
55+
&error(&text('save_ename', &html_escape($in{'name'})));
5656
$in{'name'} eq 'webmin' && &error($text{'save_enamewebmin'});
5757
if (!$in{'old'} || $in{'old'} ne $in{'name'}) {
5858
my $clash = &get_user($in{'name'});
59-
$clash && &error(&text('save_edup', $in{'name'}));
59+
$clash && &error(&text('save_edup', &html_escape($in{'name'})));
6060
}
6161
!$access{'logouttime'} || $in{'logouttime_def'} ||
6262
$in{'logouttime'} =~ /^\d+$/ || &error($text{'save_elogouttime'});

Diff for: software/file_info.cgi

+2-1
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,8 @@ else {
2020
}
2121

2222
if (!%file) {
23-
print "<b>",&text('file_notfound', "<tt>$f</tt>"),"</b><p>\n";
23+
print "<b>",&text('file_notfound',
24+
"<tt>".&html_escape($f)."</tt>"),"</b><p>\n";
2425
}
2526
else {
2627
# display file info

Diff for: software/search.cgi

+2-1
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,8 @@ if (@match == 1 && $in{'goto'}) {
3434
if (@match) {
3535
@match = sort { lc($packages{$a,'name'}) cmp lc($packages{$b,'name'}) }
3636
@match;
37-
print "<b>",&text('search_match', "<tt>$s</tt>"),"</b><p>\n";
37+
print "<b>",&text('search_match',
38+
"<tt>".&html_escape($s)."</tt>"),"</b><p>\n";
3839
print &ui_form_start("delete_packs.cgi", "post");
3940
print &ui_hidden("search", $in{'search'});
4041
@tds = ( "width=5" );

Diff for: webmin/change_referers.cgi

+2-1
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@ require './webmin-lib.pl';
1010
$gconfig{'referer'} = $in{'referer'};
1111
@refs = split(/\s+/, $in{'referers'});
1212
foreach my $r (@refs) {
13-
$r =~ /^[a-z0-9\.\-\_]+$/ || &error(&text('referers_ehost', $r));
13+
$r =~ /^[a-z0-9\.\-\_]+$/ ||
14+
&error(&text('referers_ehost', &html_escape($r)));
1415
}
1516
$gconfig{'referers'} = join(" ", @refs);
1617
$gconfig{'referers_none'} = int(!$in{'referers_none'});

0 commit comments

Comments
 (0)