From 4cf0694e55305e368c4ca28da2db7481c8f08c5a Mon Sep 17 00:00:00 2001
From: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu, 25 Sep 2025 13:12:51 +0200
Subject: [PATCH] proxy.cgi: Fixes bug 13893

Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/proxy.cgi | 1 +
 1 file changed, 1 insertion(+)

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index bdce2fa66..1ade39381 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3973,6 +3973,7 @@ END
 	{
 		print FILE " $mainsettings{'HOSTNAME'}.$mainsettings{'DOMAINNAME'}\n\n";
 	} else {
+		$proxysettings{'VISIBLE_HOSTNAME'} = &Header::escape($proxysettings{'VISIBLE_HOSTNAME'});
 		print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
 	}
 
-- 
2.47.3