[project @ 2002-10-31 00:55:31 by cjwatson]

'&' needs to be escaped to '&' in HREF attributes too; see HTML 4.01
section 5.3.2.

diff --git a/cgi/common.pl b/cgi/common.pl
index 1e255ee7fae2d7c449fd1567179152d00786f028..043c795dc5dd40421fbf8a000ebe6de74b5f5c5b 100644 (file)
--- a/cgi/common.pl
+++ b/cgi/common.pl
@@ -216,9 +216,9 @@ sub urlsanit {
     my $url = shift;
     $url =~ s/%/%25/g;
     $url =~ s/\+/%2b/g;
-    my %saniarray = ('<','lt', '>','gt', '"','quot');
+    my %saniarray = ('<','lt', '>','gt', '&','amp', '"','quot');
     my $out;
-    while ($url =~ m/[<>"]/) {
+    while ($url =~ m/[<>&"]/) {
         $out .= $`. '&'. $saniarray{$&}. ';';
         $url = $';
     }