fix XSS in version.cgi

diff --git a/cgi/version.cgi b/cgi/version.cgi
index ed0be6304ac58e094ffe4e3d8d458238e9391e48..9858d317a59dd002d8143fdcc6041688207abc62 100755 (executable)
--- a/cgi/version.cgi
+++ b/cgi/version.cgi
@@ -93,9 +93,9 @@ if ($cgi_var{info} and not defined $cgi_var{dot}) {
      print <<END;
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-<head><title>$cgi_var{package} Version Graph</title></head>
-<body>
 END
+     print '<head><title>'.html_escape($cgi_var{package}).' Version Graph</title></head>'."\n";
+     print "<body>\n"
      print '<a href="'.html_escape(munge_url($this,ignore_boring=>$cgi_var{ignore_boring}?0:1)).
          '">['.($cgi_var{ignore_boring}?"Don't i":'I').'gnore boring]</a> ';
      print '<a href="'.html_escape(munge_url($this,collapse=>$cgi_var{collapse}?0:1)).