From 8b33e596c470e9216bd4c7e61bf2bfc889ea6673 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 20 Aug 2013 11:05:28 +0200
Subject: [PATCH] header.pl: Create new escape function that uses
 HTML::Entities.

This partly replaces cleanhtml(), which is kept for
backwards-compatibility and for a special case.
---
 config/cfgroot/header.pl | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index a7f209d9c..9129c682c 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -12,6 +12,7 @@
 package Header;
 
 use CGI();
+use HTML::Entities();
 use Socket;
 use Time::Local;
 
@@ -305,16 +306,16 @@ sub IpInSubnet
     return (($ip >= $start) && ($ip <= $end));
 }
 
-sub cleanhtml
-{
+sub escape($) {
+	my $s = shift;
+	return HTML::Entities::encode_entities($s);
+}
+
+sub cleanhtml {
 	my $outstring =$_[0];
 	$outstring =~ tr/,/ / if not defined $_[1] or $_[1] ne 'y';
-	$outstring =~ s/&/&amp;/g;
-	$outstring =~ s/\'/&#039;/g;
-	$outstring =~ s/\"/&quot;/g; #" This is just a workaround for the syntax highlighter
-	$outstring =~ s/</&lt;/g;
-	$outstring =~ s/>/&gt;/g;
-	return $outstring;
+
+	return escape($outstring);
 }
 
 sub connectionstatus
-- 
2.39.2