Partial fix for bug 163573: Escapes HTML in form data displayed to the user to secure Bonsai against cross-site scripting attacks.

r=tara

webtools/bonsai/cvsblame.cgi

@@ -144,7 +144,8 @@ foreach (@src_roots) {
 
 unless ($found_rcs_file) {
   &print_top;
-  print "Rcs file, $filename, does not exist.<pre>rcs_filename => '$rcs_filename'\nroot => '$root'</pre><BR><BR>\n";
+  my $escaped_filename = html_quote($filename);
+  print "Rcs file, $escaped_filename, does not exist.<pre>rcs_filename => '$rcs_filename'\nroot => '$root'</pre><BR><BR>\n";
 print "</BODY></HTML>\n";
   &print_bottom;
   exit;

webtools/bonsai/cvslog.cgi

@@ -114,7 +114,8 @@ foreach (@src_roots) {
 }
 # File not found
 &print_top;
-print "Rcs file, $filename, does not exist.<BR><BR>\n";
+my $escaped_filename = html_quote($filename);
+print "Rcs file, $escaped_filename, does not exist.<BR><BR>\n";
 print "</BODY></HTML>\n";
 &print_bottom;
 exit;

webtools/bonsai/globals.pl

@@ -1051,7 +1051,8 @@ sub validateRepository {
         }
     }
 
-    print "Invalid repository `$root' selected.\n";
+    my $escaped_root = html_quote($root);
+    print "Invalid repository `$escaped_root' selected.\n";
     print ConstructMailTo(Param('maintainer'), "Invalid Repository '$root'");
     print " if you think this should have worked.\n";
     exit;