From: Don Armstrong <don@donarmstrong.com>
Date: Fri, 26 Sep 2014 17:28:58 +0000 (-0700)
Subject: fix XSS in version.cgi
X-Git-Tag: release/2.6.0~252
X-Git-Url: https://git.donarmstrong.com/?p=debbugs.git;a=commitdiff_plain;h=0417e15cafaf1a653a8e9ea20ccb8057566ed091

fix XSS in version.cgi
---

diff --git a/cgi/version.cgi b/cgi/version.cgi
index ed0be63..9858d31 100755
--- a/cgi/version.cgi
+++ b/cgi/version.cgi
@@ -93,9 +93,9 @@ if ($cgi_var{info} and not defined $cgi_var{dot}) {
      print <<END;
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
-<head><title>$cgi_var{package} Version Graph</title></head>
-<body>
 END
+     print '<head><title>'.html_escape($cgi_var{package}).' Version Graph</title></head>'."\n";
+     print "<body>\n"
      print '<a href="'.html_escape(munge_url($this,ignore_boring=>$cgi_var{ignore_boring}?0:1)).
 	  '">['.($cgi_var{ignore_boring}?"Don't i":'I').'gnore boring]</a> ';
      print '<a href="'.html_escape(munge_url($this,collapse=>$cgi_var{collapse}?0:1)).