Secu: Fix RSS vulnerability

diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index 79d9a552cc439b6ae046f3cea81443e94725f122..a2a2e606a7a6b000a170b156fe8a35d1a1192ee6 100644 (file)
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -4406,6 +4406,7 @@ sub EncodeString {
 sub DecodeEncodedString {
        my $stringtodecode=shift;
        $stringtodecode =~ tr/\+/ /s;
+       $stringtodecode =~ s/%22//g;
        $stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
        return $stringtodecode;
 }
@@ -4458,9 +4459,12 @@ sub Sanitize {
 #------------------------------------------------------------------------------
 sub CleanXSS {
        my $stringtoclean=shift;
+       # To avoid html tags and javascript
        $stringtoclean =~ s/</&lt;/g;
        $stringtoclean =~ s/>/&gt;/g;
        $stringtoclean =~ s/|//g;
+       # To avoid onload="
+       $stringtoclean =~ s/onload//g;
        return $stringtoclean;
 }