From: eldy <>
Date: Sun, 27 Jul 2008 17:41:57 +0000 (+0000)
Subject: Secu: Fix RSS vulnerability
X-Git-Tag: AWSTATS_6_9_BETA~55
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=20d0dff955dc3486bdfa1c7d3dbc4d7390dc4872;p=thirdparty%2FAWStats.git

Secu: Fix RSS vulnerability
---

diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index 79d9a552..a2a2e606 100644
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -4406,6 +4406,7 @@ sub EncodeString {
 sub DecodeEncodedString {
 	my $stringtodecode=shift;
 	$stringtodecode =~ tr/\+/ /s;
+	$stringtodecode =~ s/%22//g;
 	$stringtodecode =~ s/%([A-F0-9][A-F0-9])/pack("C", hex($1))/ieg;
 	return $stringtodecode;
 }
@@ -4458,9 +4459,12 @@ sub Sanitize {
 #------------------------------------------------------------------------------
 sub CleanXSS {
 	my $stringtoclean=shift;
+	# To avoid html tags and javascript
 	$stringtoclean =~ s/</&lt;/g;
 	$stringtoclean =~ s/>/&gt;/g;
 	$stringtoclean =~ s/|//g;
+	# To avoid onload="
+	$stringtoclean =~ s/onload//g;
 	return $stringtoclean;
 }