if (defined $value and $o_value eq $value) {
$selected = ' selected';
}
- $output .= qq(<option value="$o_value"$selected>$name</option>\n);
+ $output .= q(<option value=").html_escape($o_value).qq("$selected>).
+ html_escape($name).qq(</option>\n);
}
return $output;
};
(closes: #452905)
* Deal properly with leading spaces in query arguments (closes: #158375)
* Only send out control help when control is mailed (closes: #499941)
+ * Resolve two XSS (closes: #504608)
-- Colin Watson <cjwatson@debian.org> Fri, 20 Jun 2003 18:57:25 +0100
<nobr><select name="_fo_searchkey">
{output_select_options(\@search_key_order,$search||'')}
</select>
-<input type="text" name="_fo_searchvalue" value ="{$search_value||''}">
+<input type="text" name="_fo_searchvalue" value ="{html_escape($search_value||'')}">
<!-- {$value_index} -->
</nobr>