routing: Fix potential authenticated XSS in input processing

[ipfire-2.x.git] / html / cgi-bin / routing.cgi

diff --git a/html/cgi-bin/routing.cgi b/html/cgi-bin/routing.cgi
index f2014e2e12f917ecc31c56c7490534a52a420874..be21007fa837ee4857da4fea0cb93b6d14afafc7 100644 (file)
--- a/html/cgi-bin/routing.cgi
+++ b/html/cgi-bin/routing.cgi
@@ -137,6 +137,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'add'}) {
        $errormessage = $Lang::tr{'invalid ip'}. " - ".$Lang::tr{'gateway ip'};
        }
 
+       # Escape input in REMARK field
+       $settings{'REMARK'} = &Header::escape($settings{'REMARK'});
+
        #set networkip if not already correctly defined
        my($ip,$cidr) = split(/\//,$settings{'IP'});
        my $netip=&General::getnetworkip($ip,$cidr);