From 549954949a402ba5bc84cfb83cda3d62a8e1a887 Mon Sep 17 00:00:00 2001
From: "justdave%syndicomm.com" <>
Date: Sat, 25 Aug 2001 00:32:24 +0000
Subject: Fix for bug 95235: variables with untrusted content were being echoed
 back to the user in error messages.  Those variables are now run through
 html_quote() first. Patch by Gavin Shelley <gavins@iplbath.com> r=
 justdave@syndicomm.com

---
 process_bug.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'process_bug.cgi')

diff --git a/process_bug.cgi b/process_bug.cgi
index 82e9cb988..53ec8d9da 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -749,7 +749,8 @@ if ($::FORM{'keywords'}) {
         }
         my $i = GetKeywordIdFromName($keyword);
         if (!$i) {
-            PuntTryAgain("Unknown keyword named <code>$keyword</code>. " .
+            PuntTryAgain("Unknown keyword named <code>" .
+                         html_quote($keyword) . "</code>. " .
                          "<P>The legal keyword names are " .
                          "<A HREF=describekeywords.cgi>" .
                          "listed here</A>.");
-- 
cgit v1.2.1