From: preed%sigkill.com <>
Date: Thu, 30 May 2002 01:13:34 +0000 (+0000)
Subject: Bug 147486 - First (of many?) fixes of cross site scripting issues; checked in on... 
X-Git-Tag: bugzilla-2.14.2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b149d608c49647552397cdcc46b93139c63f67a;p=thirdparty%2Fbugzilla.git

Bug 147486 - First (of many?) fixes of cross site scripting issues; checked in on the 2.14.1 branch; this patch is slightly different (semantically) from the one in 147486; it moves the ) placement, per myk's suggestion in the bug. patch=preed, r=bbaetz,myk
---

diff --git a/editusers.cgi b/editusers.cgi
index cc56966d7f..2db93e4acc 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -336,7 +336,7 @@ if ($action eq 'list') {
             $s = "<STRIKE>";
             $e = "</STRIKE>";
         }
-	$realname ||= "<FONT COLOR=\"red\">missing</FONT>";
+	$realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
 	print "<TR>\n";
 	print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=edit&user=", url_quote($user), "\"><B>$s$user$e</B></A></TD>\n";
 	print "  <TD VALIGN=\"top\">$s$realname$e</TD>\n";
@@ -535,7 +535,7 @@ if ($action eq 'del') {
 	     WHERE login_name=" . SqlQuote($user));
     my ($realname, $groupset) = 
       FetchSQLData();
-    $realname ||= "<FONT COLOR=\"red\">missing</FONT>";
+    $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
     
     print "<TABLE BORDER=1 CELLPADDING=4 CELLSPACING=0>\n";
     print "<TR BGCOLOR=\"#6666FF\">\n";