From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] clwarn.cgi: Remove XSS
Date: Wed, 24 May 2023 08:20:41 +0000
Message-ID: <20230524082041.266912-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3523016842524791008=="
List-Id: <development.lists.ipfire.org>

--===============3523016842524791008==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Fixes: #12966
Reported-by: Arthur Naullet <arthur.naullet(a)epita.fr>
Reported-by: Rafael Lima <isec-researcher(a)protonmail.com>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/html/clwarn.cgi | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/html/html/clwarn.cgi b/html/html/clwarn.cgi
index 44f7f98ab..c7a415cdb 100644
--- a/html/html/clwarn.cgi
+++ b/html/html/clwarn.cgi
@@ -20,6 +20,7 @@
 ############################################################################=
###
=20
 use CGI qw(param);
+use HTML::Entities();
=20
 # enable only the following on debugging purpose
 use warnings;
@@ -30,11 +31,11 @@ $swroot=3D"/var/ipfire";
=20
 my $TITLE_VIRUS =3D "SquidClamAv Virus detection";
=20
-my $url =3D param('url') || '';
-my $virus =3D param('virus') || '';
-my $source =3D param('source') || '';
+my $url =3D &HTML::Entities::encode_entities(param('url') || '');
+my $virus =3D &HTML::Entities::encode_entities(param('virus') || '');
+my $source =3D &HTML::Entities::encode_entities(param('source') || '');
 $source =3D~ s/\/-//;
-my $user =3D param('user') || '';
+my $user =3D &HTML::Entities::encode_entities(param('user') || '');
=20
=20
 # Remove clamd infos
--=20
2.30.2


--===============3523016842524791008==--