From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 21 Aug 2013 15:40:44 +0000 (+0200)
Subject: Merge remote-tracking branch 'ms/xss' into next
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=df05a856cdc5044398284b1a8dc704b22dfca911;hp=e4d79ba496c7d5203e04df34bf59b827b79a2e0c

Merge remote-tracking branch 'ms/xss' into next
---

diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index a7f209d9c..9129c682c 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -12,6 +12,7 @@
 package Header;
 
 use CGI();
+use HTML::Entities();
 use Socket;
 use Time::Local;
 
@@ -305,16 +306,16 @@ sub IpInSubnet
     return (($ip >= $start) && ($ip <= $end));
 }
 
-sub cleanhtml
-{
+sub escape($) {
+	my $s = shift;
+	return HTML::Entities::encode_entities($s);
+}
+
+sub cleanhtml {
 	my $outstring =$_[0];
 	$outstring =~ tr/,/ / if not defined $_[1] or $_[1] ne 'y';
-	$outstring =~ s/&/&amp;/g;
-	$outstring =~ s/\'/&#039;/g;
-	$outstring =~ s/\"/&quot;/g; #" This is just a workaround for the syntax highlighter
-	$outstring =~ s/</&lt;/g;
-	$outstring =~ s/>/&gt;/g;
-	return $outstring;
+
+	return escape($outstring);
 }
 
 sub connectionstatus
diff --git a/html/cgi-bin/logs.cgi/proxylog.dat b/html/cgi-bin/logs.cgi/proxylog.dat
index e529be061..da86f8917 100644
--- a/html/cgi-bin/logs.cgi/proxylog.dat
+++ b/html/cgi-bin/logs.cgi/proxylog.dat
@@ -90,7 +90,7 @@ if ($ENV{'QUERY_STRING'} && $cgiparams{'ACTION'} ne $Lang::tr{'update'})
  	$cgiparams{'MONTH'} = $temp[1];
  	$cgiparams{'DAY'} = $temp[2];  
 	$cgiparams{'SOURCE_IP'} = $temp[3];
-	$cgiparams{'USERNAME'} = $temp[4];
+	$cgiparams{'USERNAME'} = &Header::escape($temp[4]);
 }
 
 if (!($cgiparams{'MONTH'} =~ /^(0|1|2|3|4|5|6|7|8|9|10|11)$/) ||
@@ -383,6 +383,7 @@ print <<END
 END
 ;
 foreach my $so (sort keys %users) {
+	$so = &Header::escape($so);
 	print "<option value='$so' $selected{'USERNAME'}{$so}>$so</option>\n"; }
 print <<END
 	</select>