diff mbox series

[14/16] dns.cgi: Fixes bug 13892

Message ID 20250925111252.11893-14-adolf.belka@ipfire.org
State Staged
Commit 98616a36c00b7fc845995c5cc4d8e301e58a20a7
Headers
Series [01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 |

Commit Message

Adolf Belka 25 Sep 2025, 11:12 a.m. UTC 
Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/dns.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 0d3b14797..a4f1c719e 100644
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -2,7 +2,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2005-2024  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2005-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -187,6 +187,7 @@  if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L
 		}
 
 		# Add/Modify the entry to/in the dns_servers hash.
+		$cgiparams{'TLS_HOSTNAME'} = &Header::escape($cgiparams{'TLS_HOSTNAME'});
 		$dns_servers{$id} = ["$cgiparams{'NAMESERVER'}", "$cgiparams{'TLS_HOSTNAME'}", "$status", "$cgiparams{'REMARK'}"];
 
 		# Write the changed hash to the config file.