1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
$NetBSD: patch-az,v 1.4 2020/09/07 10:34:52 mef Exp $
Set &html_escape for the safety
--- mailboxes/search_form.cgi.orig 2012-06-29 22:31:51.000000000 +0000
+++ mailboxes/search_form.cgi
@@ -13,9 +13,9 @@ require './mailboxes-lib.pl';
# Start of form
print &ui_form_start("mail_search.cgi");
-print &ui_hidden("user", $in{'user'});
-print &ui_hidden("dom", $in{'dom'});
-print &ui_hidden("ofolder", $in{'folder'});
+print &ui_hidden("user", &html_escape($in{'user'}));
+print &ui_hidden("dom", &html_escape($in{'user'}));
+print &ui_hidden("ofolder", &html_escape($in{'folder'}));
print &ui_table_start($text{'sform_header'}, "width=100%", 2);
# And/or mode
@@ -54,7 +54,7 @@ print &ui_table_row($text{'sform_folder2
print &ui_table_end();
print &ui_form_end([ [ undef, $text{'sform_ok'} ] ]);
-&ui_print_footer("list_mail.cgi?folder=$in{'folder'}&user=".
- &urlize($in{'user'})."&dom=$in{'dom'}", $text{'mail_return'},
+&ui_print_footer("list_mail.cgi?folder=" . &urlize($in{'folder'}) . "&user=".
+ &urlize($in{'user'})."&dom=".&urlize($in{'dom'}), $text{'mail_return'},
&user_list_link(), $text{'index_return'});
|
