[2/2] mail.cgi: Do not print content of input fields
Commit Message
This was printed unescaped and could therefore be used
for a stored XSS attack.
Fixes: #12226
Reported-by: Pisher Honda <pisher24@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
html/cgi-bin/mail.cgi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
@@ -260,21 +260,21 @@ sub checkmailsettings {
#Check if mailserver is an ip address or a domain
if ($cgiparams{'txt_mailserver'} =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/){
if (! &General::validip($cgiparams{'txt_mailserver'})){
- $errormessage.="$Lang::tr{'email invalid mailip'} $cgiparams{'txt_mailserver'}<br>";
+ $errormessage .= $Lang::tr{'email invalid mailip'} . "<br>";
}
}elsif(! &General::validfqdn($cgiparams{'txt_mailserver'})){
- $errormessage.="$Lang::tr{'email invalid mailfqdn'} $cgiparams{'txt_mailserver'}<br>";
+ $errormessage .= $Lang::tr{'email invalid mailfqdn'} . "<br>";
}
#Check valid mailserverport
if($cgiparams{'txt_mailport'} < 1 || $cgiparams{'txt_mailport'} > 65535){
- $errormessage.="$Lang::tr{'email invalid mailport'} $cgiparams{'txt_mailport'}<br>";
+ $errormessage .= $Lang::tr{'email invalid mailport'} . "<br>";
}
#Check valid sender
if(! $cgiparams{'txt_mailsender'}){
- $errormessage.="$Lang::tr{'email empty field'} $Lang::tr{'email mailsender'}<br>";
+ $errormessage .= $Lang::tr{'email empty field'} . "<br>";
}else{
if (! &General::validemail($cgiparams{'txt_mailsender'})){
- $errormessage.="<br>$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}<br>";
+ $errormessage .= "$Lang::tr{'email invalid'} $Lang::tr{'email mailsender'}<br>";
}
}
return $errormessage;