Fix for bug 38859: escape invalid email addresses for HTML before displaying to the user.

Patch by Myk Melez <myk@mozilla.org>
r= jake@acutex.net, justdave@syndicomm.com

1 files changed, 3 insertions, 0 deletions

diff --git a/CGI.pl b/CGI.pl
index 587ecc074..e82ce8911 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -593,6 +593,9 @@ sub CheckEmailSyntax {
     if ($addr !~ /$match/) {
         print "Content-type: text/html\n\n";
 
+        # For security, escape HTML special characters.
+        $addr = html_quote($addr);
+
         PutHeader("Check e-mail syntax");
         print "The e-mail address you entered\n";
         print "(<b>$addr</b>) didn't match our minimal\n";