diff options
author | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2013-08-19 08:25:33 +0200 |
---|---|---|
committer | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2013-08-19 08:25:33 +0200 |
commit | fe5ff8340292958c247cf7e3f1ad8330c88de33a (patch) | |
tree | 25d6183684d0f63eebb5a702467f03e0f2a64823 /customize.rb | |
parent | 6cd3ca6c265e2d55be6d0906cdae8d178e9e222d (diff) |
Bugfix XSS (thanks to Sipke Mellema)
Diffstat (limited to 'customize.rb')
-rwxr-xr-x | customize.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/customize.rb b/customize.rb index af64fa3..2062365 100755 --- a/customize.rb +++ b/customize.rb @@ -69,11 +69,12 @@ $d << "</div>" username = $cgi.cookies["username"][0] +username = CGI.escapeHTML(username) if username if $cgi.include?("delete_username") $d.html.add_cookie("username","","/",Time.now - 1*60*60*24*365) username = nil elsif $cgi.include?("username") && $cgi["username"] != "" - username = $cgi["username"] + username = CGI.escapeHTML($cgi["username"]) $d.html.add_cookie("username",username,"/",Time.now + 1*60*60*24*365) end |