From fe5ff8340292958c247cf7e3f1ad8330c88de33a Mon Sep 17 00:00:00 2001
From: Benjamin Kellermann <Benjamin.Kellermann@gmx.de>
Date: Mon, 19 Aug 2013 08:25:33 +0200
Subject: Bugfix XSS (thanks to Sipke Mellema)

---
 customize.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'customize.rb')

diff --git a/customize.rb b/customize.rb
index af64fa3..2062365 100755
--- a/customize.rb
+++ b/customize.rb
@@ -69,11 +69,12 @@ $d << "</div>"
 
 
 username = $cgi.cookies["username"][0]
+username = CGI.escapeHTML(username) if username
 if $cgi.include?("delete_username")
 	$d.html.add_cookie("username","","/",Time.now - 1*60*60*24*365)
 	username = nil
 elsif $cgi.include?("username") && $cgi["username"] != ""
-	username = $cgi["username"]
+	username = CGI.escapeHTML($cgi["username"])
 	$d.html.add_cookie("username",username,"/",Time.now + 1*60*60*24*365)
 end
 
-- 
cgit v1.2.3