diff mbox series

clwarn.cgi: Remove XSS

Message ID 20230524082041.266912-1-michael.tremer@ipfire.org
State Accepted
Commit 2a0d7a03d7df63806dc37b93ea10a93c2da4e4ea
Headers
Series clwarn.cgi: Remove XSS |

Commit Message

Michael Tremer May 24, 2023, 8:20 a.m. UTC 
  Fixes: #12966
Reported-by: Arthur Naullet <arthur.naullet@epita.fr>
Reported-by: Rafael Lima <isec-researcher@protonmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/html/clwarn.cgi | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/html/html/clwarn.cgi b/html/html/clwarn.cgi
index 44f7f98ab..c7a415cdb 100644
--- a/html/html/clwarn.cgi
+++ b/html/html/clwarn.cgi
@@ -20,6 +20,7 @@ 
 ###############################################################################
 
 use CGI qw(param);
+use HTML::Entities();
 
 # enable only the following on debugging purpose
 use warnings;
@@ -30,11 +31,11 @@  $swroot="/var/ipfire";
 
 my $TITLE_VIRUS = "SquidClamAv Virus detection";
 
-my $url = param('url') || '';
-my $virus = param('virus') || '';
-my $source = param('source') || '';
+my $url = &HTML::Entities::encode_entities(param('url') || '');
+my $virus = &HTML::Entities::encode_entities(param('virus') || '');
+my $source = &HTML::Entities::encode_entities(param('source') || '');
 $source =~ s/\/-//;
-my $user = param('user') || '';
+my $user = &HTML::Entities::encode_entities(param('user') || '');
 
 
 # Remove clamd infos