From fe5ff8340292958c247cf7e3f1ad8330c88de33a Mon Sep 17 00:00:00 2001 From: Benjamin Kellermann Date: Mon, 19 Aug 2013 08:25:33 +0200 Subject: Bugfix XSS (thanks to Sipke Mellema) --- customize.rb | 3 ++- poll.rb | 15 ++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/customize.rb b/customize.rb index af64fa3..2062365 100755 --- a/customize.rb +++ b/customize.rb @@ -69,11 +69,12 @@ $d << "" username = $cgi.cookies["username"][0] +username = CGI.escapeHTML(username) if username if $cgi.include?("delete_username") $d.html.add_cookie("username","","/",Time.now - 1*60*60*24*365) username = nil elsif $cgi.include?("username") && $cgi["username"] != "" - username = $cgi["username"] + username = CGI.escapeHTML($cgi["username"]) $d.html.add_cookie("username",username,"/",Time.now + 1*60*60*24*365) end diff --git a/poll.rb b/poll.rb index 269fcb5..8a9be6a 100644 --- a/poll.rb +++ b/poll.rb @@ -178,7 +178,7 @@ class Poll end def invite_to_html - edituser = $cgi["edituser"] unless $cgi.include?("deleteuser") + edituser = CGI.escapeHTML($cgi["edituser"]) unless $cgi.include?("deleteuser") invitestr = _("Invite") namestr = _("Name") ret = <" + ret += "#{edituser}" ret += "" - ret += _("Do you really want to delete user %{user}?") % {:user => $cgi["edituser"]} - ret += "" + ret += _("Do you really want to delete user %{user}?") % {:user => edituser} + ret += "" ret += "" - ret += save_input($cgi["edituser"], "", _("Confirm")) + ret += save_input(edituser, "", _("Confirm")) ret += "" ret end def edituser_to_html - edituser = $cgi["edituser"] + edituser = CGI.escapeHTML($cgi["edituser"]) checked = {} if @data.include?(edituser) @head.columns.each{|k| checked[k] = @data[edituser][k]} else - edituser = $cgi.cookies["username"][0] unless @data.include?($cgi.cookies["username"][0]) + edituser = CGI.escapeHTML($cgi.cookies["username"][0]) unless @data.include?($cgi.cookies["username"][0]) @head.columns.each{|k| checked[k] = NOVAL} end -- cgit v1.2.3