From: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu, 25 Sep 2025 11:12:40 +0000 (+0200)
Subject: header.pl: Fixes bug 13880
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa97bae01cc2ada209e8559e48c25298fe628181;p=ipfire-2.x.git

header.pl: Fixes bug 13880

Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 9492b467d..6e65f4137 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -647,7 +647,7 @@ sub cleanhtml {
 	# decode the UTF-8 text so that characters with diacritical marks such as
 	# umlauts are treated correctly by the escape command
 	$outstring = &Encode::decode("UTF-8",$outstring);
-	escape($outstring);
+	$outstring = escape($outstring);
 	# encode the text back to UTF-8 after running the escape command
 	$outstring = &Encode::encode("UTF-8",$outstring);
 	return $outstring;