fix cross site scripting

xss due to printing response from Net::XWhois without proper checks

diff --git a/wwwroot/cgi-bin/plugins/hostinfo.pm b/wwwroot/cgi-bin/plugins/hostinfo.pm
index 95b2c20b7b911b19369dff6ed4e433e96a90eaa5..1f0ac699459d277ed2409075661bd4ae592368ff 100644 (file)
--- a/wwwroot/cgi-bin/plugins/hostinfo.pm
+++ b/wwwroot/cgi-bin/plugins/hostinfo.pm
@@ -181,7 +181,7 @@ sub BuildFullHTMLOutput_hostinfo {
 
        &tab_head("Full Whois Field",0,0,'whois');
        if ($w && $w->response()) {
-               print "<tr><td class=\"aws\"><pre>".($w->response())."</pre></td></tr>\n";
+               print "<tr><td class=\"aws\"><pre>".CleanXSS($w->response())."</pre></td></tr>\n";
        }
        else {
                print "<tr><td><br />The Whois command failed.<br />Did the server running AWStats is allowed to send WhoIs queries (If a firewall is running, port 43 should be opened from inside to outside) ?<br /><br /></td></tr>\n";