diff options
author | justdave%syndicomm.com <> | 2001-08-25 00:32:24 +0000 |
---|---|---|
committer | justdave%syndicomm.com <> | 2001-08-25 00:32:24 +0000 |
commit | 549954949a402ba5bc84cfb83cda3d62a8e1a887 (patch) | |
tree | 64ac2ddb9c40844739db9ae9583cdbf41af9aa9b /process_bug.cgi | |
parent | 0fb6fdfab23fa6e82bce48af1b4872b0b5203425 (diff) | |
download | bugs-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar bugs-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar.gz bugs-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar.bz2 bugs-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar.xz bugs-549954949a402ba5bc84cfb83cda3d62a8e1a887.zip |
Fix for bug 95235: variables with untrusted content were being echoed back to the user in error messages. Those variables are now run through html_quote() first.
Patch by Gavin Shelley <gavins@iplbath.com>
r= justdave@syndicomm.com
Diffstat (limited to 'process_bug.cgi')
-rwxr-xr-x | process_bug.cgi | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/process_bug.cgi b/process_bug.cgi index 82e9cb988..53ec8d9da 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -749,7 +749,8 @@ if ($::FORM{'keywords'}) { } my $i = GetKeywordIdFromName($keyword); if (!$i) { - PuntTryAgain("Unknown keyword named <code>$keyword</code>. " . + PuntTryAgain("Unknown keyword named <code>" . + html_quote($keyword) . "</code>. " . "<P>The legal keyword names are " . "<A HREF=describekeywords.cgi>" . "listed here</A>."); |