header.pl: Create new escape function that uses HTML::Entities.
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 20 Aug 2013 09:05:28 +0000 (11:05 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 20 Aug 2013 09:05:28 +0000 (11:05 +0200)
This partly replaces cleanhtml(), which is kept for
backwards-compatibility and for a special case.

config/cfgroot/header.pl

index a7f209d9cbaed7c7ef485b0f2cd74c2ad6978d21..9129c682c05f0d20be9798eee502fac7e61848fd 100644 (file)
@@ -12,6 +12,7 @@
 package Header;
 
 use CGI();
+use HTML::Entities();
 use Socket;
 use Time::Local;
 
@@ -305,16 +306,16 @@ sub IpInSubnet
     return (($ip >= $start) && ($ip <= $end));
 }
 
-sub cleanhtml
-{
+sub escape($) {
+       my $s = shift;
+       return HTML::Entities::encode_entities($s);
+}
+
+sub cleanhtml {
        my $outstring =$_[0];
        $outstring =~ tr/,/ / if not defined $_[1] or $_[1] ne 'y';
-       $outstring =~ s/&/&amp;/g;
-       $outstring =~ s/\'/&#039;/g;
-       $outstring =~ s/\"/&quot;/g; #" This is just a workaround for the syntax highlighter
-       $outstring =~ s/</&lt;/g;
-       $outstring =~ s/>/&gt;/g;
-       return $outstring;
+
+       return escape($outstring);
 }
 
 sub connectionstatus