Bugfix XSS (thanks to Sipke Mellema)

author: Benjamin Kellermann <Benjamin.Kellermann@gmx.de> 2013-08-19 08:25:33 +0200
committer: Benjamin Kellermann <Benjamin.Kellermann@gmx.de> 2013-08-19 08:25:33 +0200
commit: fe5ff8340292958c247cf7e3f1ad8330c88de33a (patch)
tree: 25d6183684d0f63eebb5a702467f03e0f2a64823 /customize.rb
parent: 6cd3ca6c265e2d55be6d0906cdae8d178e9e222d (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/customize.rb b/customize.rb
index af64fa3..2062365 100755
--- a/customize.rb
+++ b/customize.rb
@@ -69,11 +69,12 @@ $d << "</div>"
 
 
 username = $cgi.cookies["username"][0]
+username = CGI.escapeHTML(username) if username
 if $cgi.include?("delete_username")
 	$d.html.add_cookie("username","","/",Time.now - 1*60*60*24*365)
 	username = nil
 elsif $cgi.include?("username") && $cgi["username"] != ""
-	username = $cgi["username"]
+	username = CGI.escapeHTML($cgi["username"])
 	$d.html.add_cookie("username",username,"/",Time.now + 1*60*60*24*365)
 end
author	Benjamin Kellermann <Benjamin.Kellermann@gmx.de>	2013-08-19 08:25:33 +0200
committer	Benjamin Kellermann <Benjamin.Kellermann@gmx.de>	2013-08-19 08:25:33 +0200
commit	fe5ff8340292958c247cf7e3f1ad8330c88de33a (patch)
tree	25d6183684d0f63eebb5a702467f03e0f2a64823 /customize.rb
parent	6cd3ca6c265e2d55be6d0906cdae8d178e9e222d (diff)