From fa97bae01cc2ada209e8559e48c25298fe628181 Mon Sep 17 00:00:00 2001
From: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu, 25 Sep 2025 13:12:40 +0200
Subject: [PATCH] header.pl: Fixes bug 13880

Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/cfgroot/header.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 9492b467d..6e65f4137 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -647,7 +647,7 @@ sub cleanhtml {
 	# decode the UTF-8 text so that characters with diacritical marks such as
 	# umlauts are treated correctly by the escape command
 	$outstring = &Encode::decode("UTF-8",$outstring);
-	escape($outstring);
+	$outstring = escape($outstring);
 	# encode the text back to UTF-8 after running the escape command
 	$outstring = &Encode::encode("UTF-8",$outstring);
 	return $outstring;
-- 
2.47.3