diff options
author | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2009-09-15 01:06:04 +0200 |
---|---|---|
committer | Benjamin Kellermann <Benjamin.Kellermann@gmx.de> | 2009-09-15 01:06:04 +0200 |
commit | 989e3b3c5fec10eff3b77f0d63691ed1409872f3 (patch) | |
tree | 4707094a52fe4e6b79ec3afad155bcdf78742b67 /index.cgi | |
parent | d748edf63865c831aef5bb7bf72bd8ef6c8e3ff2 (diff) |
make it once more a bit more robust to xss
Diffstat (limited to 'index.cgi')
-rwxr-xr-x | index.cgi | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -48,7 +48,7 @@ HEAD $htmlout += "</head><body>" if $cgi.include?("create_poll") - SITE=$cgi["create_poll"] + SITE=$cgi["create_poll"].gsub(/^\//,"") unless File.exist?(SITE) Dir.mkdir(SITE) Dir.chdir(SITE) @@ -79,7 +79,7 @@ Dir.glob("*/data.yaml").sort_by{|f| }.each{|site| unless YAML::load_file("#{site}/data.yaml").hidden $htmlout += "<tr>" - $htmlout += "<td class='site'><a href='#{site}'>#{site}</a></td>" + $htmlout += "<td class='site'><a href='./#{CGI.escapeHTML(site).gsub("'","%27")}'>#{CGI.escapeHTML(site)}</a></td>" $htmlout += "<td class='mtime'>#{File.new(site + "/data.yaml").mtime.strftime('%d.%m, %H:%M')}</td>" $htmlout += "</tr>" end |