From 0417e15cafaf1a653a8e9ea20ccb8057566ed091 Mon Sep 17 00:00:00 2001
From: Don Armstrong <don@donarmstrong.com>
Date: Fri, 26 Sep 2014 10:28:58 -0700
Subject: [PATCH] fix XSS in version.cgi

---
 cgi/version.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cgi/version.cgi b/cgi/version.cgi
index ed0be63..9858d31 100755
--- a/cgi/version.cgi
+++ b/cgi/version.cgi
@@ -93,9 +93,9 @@ if ($cgi_var{info} and not defined $cgi_var{dot}) {
      print <<END;
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-<head><title>$cgi_var{package} Version Graph</title></head>
-<body>
 END
+     print '<head><title>'.html_escape($cgi_var{package}).' Version Graph</title></head>'."\n";
+     print "<body>\n"
      print '<a href="'.html_escape(munge_url($this,ignore_boring=>$cgi_var{ignore_boring}?0:1)).
 	  '">['.($cgi_var{ignore_boring}?"Don't i":'I').'gnore boring]</a> ';
      print '<a href="'.html_escape(munge_url($this,collapse=>$cgi_var{collapse}?0:1)).
-- 
2.39.2