From 5ba9e6606e0a9666fb2bf83c68f1979f9dd2fbb2 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 20 Aug 2013 11:06:36 +0200
Subject: [PATCH] proxylog.dat: Escape usernames.

Bug #10406.
---
 html/cgi-bin/logs.cgi/proxylog.dat | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/logs.cgi/proxylog.dat b/html/cgi-bin/logs.cgi/proxylog.dat
index e529be061d..da86f89173 100644
--- a/html/cgi-bin/logs.cgi/proxylog.dat
+++ b/html/cgi-bin/logs.cgi/proxylog.dat
@@ -90,7 +90,7 @@ if ($ENV{'QUERY_STRING'} && $cgiparams{'ACTION'} ne $Lang::tr{'update'})
  	$cgiparams{'MONTH'} = $temp[1];
  	$cgiparams{'DAY'} = $temp[2];  
 	$cgiparams{'SOURCE_IP'} = $temp[3];
-	$cgiparams{'USERNAME'} = $temp[4];
+	$cgiparams{'USERNAME'} = &Header::escape($temp[4]);
 }
 
 if (!($cgiparams{'MONTH'} =~ /^(0|1|2|3|4|5|6|7|8|9|10|11)$/) ||
@@ -383,6 +383,7 @@ print <<END
 END
 ;
 foreach my $so (sort keys %users) {
+	$so = &Header::escape($so);
 	print "<option value='$so' $selected{'USERNAME'}{$so}>$so</option>\n"; }
 print <<END
 	</select>
-- 
2.39.5