From 8894e9ba8f3c0c52a233f644254d43bca31f1bfe Mon Sep 17 00:00:00 2001 From: "myk%mozilla.org" Date: Tue, 20 Aug 2002 21:32:07 +0000 Subject: [PATCH] Partial fix for bug 163573: Escapes HTML in form data displayed to the user to secure Bonsai against cross-site scripting attacks. r=tara --- webtools/bonsai/cvsblame.cgi | 3 ++- webtools/bonsai/cvslog.cgi | 3 ++- webtools/bonsai/globals.pl | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/webtools/bonsai/cvsblame.cgi b/webtools/bonsai/cvsblame.cgi index 5896f9573de..fdf7c950276 100755 --- a/webtools/bonsai/cvsblame.cgi +++ b/webtools/bonsai/cvsblame.cgi @@ -144,7 +144,8 @@ foreach (@src_roots) { unless ($found_rcs_file) { &print_top; - print "Rcs file, $filename, does not exist.
rcs_filename => '$rcs_filename'\nroot => '$root'


\n"; + my $escaped_filename = html_quote($filename); + print "Rcs file, $escaped_filename, does not exist.
rcs_filename => '$rcs_filename'\nroot => '$root'


\n"; print "\n"; &print_bottom; exit; diff --git a/webtools/bonsai/cvslog.cgi b/webtools/bonsai/cvslog.cgi index 1c2694cae53..c765c9fcfb3 100755 --- a/webtools/bonsai/cvslog.cgi +++ b/webtools/bonsai/cvslog.cgi @@ -114,7 +114,8 @@ foreach (@src_roots) { } # File not found &print_top; -print "Rcs file, $filename, does not exist.

\n"; +my $escaped_filename = html_quote($filename); +print "Rcs file, $escaped_filename, does not exist.

\n"; print "\n"; &print_bottom; exit; diff --git a/webtools/bonsai/globals.pl b/webtools/bonsai/globals.pl index 307aae15c11..84027c7d83a 100644 --- a/webtools/bonsai/globals.pl +++ b/webtools/bonsai/globals.pl @@ -1051,7 +1051,8 @@ sub validateRepository { } } - print "Invalid repository `$root' selected.\n"; + my $escaped_root = html_quote($root); + print "Invalid repository `$escaped_root' selected.\n"; print ConstructMailTo(Param('maintainer'), "Invalid Repository '$root'"); print " if you think this should have worked.\n"; exit;