proxy.cgi: Escape parameters in the right place

author Michael Tremer <michael.tremer@ipfire.org>

Thu, 25 Sep 2025 15:32:51 +0000 (17:32 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Thu, 2 Oct 2025 16:56:01 +0000 (16:56 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Thu, 25 Sep 2025 15:32:51 +0000 (17:32 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Thu, 2 Oct 2025 16:56:01 +0000 (16:56 +0000)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi

index 3fbd78d2cfbe2cebc6a8ee5323c0cd1c0bcab71e..fdb7c6a77878cb60a39c8df367d95682d367b813 100644 (file)
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -955,7 +955,8 @@ if ($netsettings{'BLUE_DEV'}) {
  }
  print <<END
         <td class='base'>$Lang::tr{'advproxy visible hostname'}:</td>
-       <td><input type='text' name='VISIBLE_HOSTNAME' value='$proxysettings{'VISIBLE_HOSTNAME'}' /></td>
+       <td><input type='text' name='VISIBLE_HOSTNAME'
+               value='@{[ &Header::escape($proxysettings{'VISIBLE_HOSTNAME'}) ]}' /></td>
  </tr>
  <tr>
  END
@@ -1074,13 +1075,15 @@ print <<END
         <td class='base'><a href='/cgi-bin/cachemgr.cgi' target='_blank'>$Lang::tr{'proxy cachemgr'}:</td>
         <td><input type='checkbox' name='CACHEMGR' $checked{'CACHEMGR'}{'on'} /></td>
         <td class='base'>$Lang::tr{'advproxy admin mail'}:</td>
-       <td><input type='text' name='ADMIN_MAIL_ADDRESS' value='$proxysettings{'ADMIN_MAIL_ADDRESS'}' /></td>
+       <td><input type='text' name='ADMIN_MAIL_ADDRESS'
+               value='@{[ &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'}) ]}' /></td>
  </tr>
  <tr>
         <td class='base'>$Lang::tr{'proxy filedescriptors'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
         <td><input type='text' name='FILEDESCRIPTORS' value='$proxysettings{'FILEDESCRIPTORS'}' size='5' /></td>
         <td class='base'>$Lang::tr{'proxy admin password'}:</td>
-       <td><input type='text' name='ADMIN_PASSWORD' value='$proxysettings{'ADMIN_PASSWORD'}' /></td>
+       <td><input type='text' name='ADMIN_PASSWORD'
+               value='@{[ &Header::escape($proxysettings{'ADMIN_PASSWORD'}) ]}' /></td>
  </tr>
  <tr>
         <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
@@ -3973,18 +3976,15 @@ END
         {
                 print FILE " $mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}\n\n";
         } else {
-               $proxysettings{'VISIBLE_HOSTNAME'} = &Header::escape($proxysettings{'VISIBLE_HOSTNAME'});
                 print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
         }
  
         if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
                 {
-                       $proxysettings{'ADMIN_MAIL_ADDRESS'} = &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'});
                         print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
                 }
         if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
                 {
-                       $proxysettings{'ADMIN_PASSWORD'} = &Header::escape($proxysettings{'ADMIN_PASSWORD'});
                         print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
                 }
         print FILE "\n";
author	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 25 Sep 2025 15:32:51 +0000 (17:32 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 2 Oct 2025 16:56:01 +0000 (16:56 +0000)