header.pl: Fixes bug 13880

Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 9492b467d0b43b06087394fd31fe1a8f94b0d4fd..6e65f4137ccb0c3924d4e6b9a89167ac95854bc2 100644 (file)
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -647,7 +647,7 @@ sub cleanhtml {
        # decode the UTF-8 text so that characters with diacritical marks such as
        # umlauts are treated correctly by the escape command
        $outstring = &Encode::decode("UTF-8",$outstring);
-       escape($outstring);
+       $outstring = escape($outstring);
        # encode the text back to UTF-8 after running the escape command
        $outstring = &Encode::encode("UTF-8",$outstring);
        return $outstring;