summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpreed%sigkill.com <>2002-06-01 18:26:25 +0200
committerpreed%sigkill.com <>2002-06-01 18:26:25 +0200
commitd2895af6fc01b5e782e1a71cf3604cea13cbcf9f (patch)
treecfd3a25ec25a918bfecbe0810f2377f460777154
parentbd9136c71bd942187dba5e0737f1d0f73bb338c1 (diff)
downloadbugzilla-d2895af6fc01b5e782e1a71cf3604cea13cbcf9f.tar.gz
bugzilla-d2895af6fc01b5e782e1a71cf3604cea13cbcf9f.tar.xz
Bug 147486 - Fixes cross site scripting issues; first checked in on the 2.14.1 branch, but I forgot the 2.16 branch/trunk (thanks bbaetz); patch=preed, r=bbaetz,myk
-rwxr-xr-xeditusers.cgi4
1 files changed, 2 insertions, 2 deletions
diff --git a/editusers.cgi b/editusers.cgi
index 06c293e2d..ebc07f2e4 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -343,7 +343,7 @@ if ($action eq 'list') {
$s = "<STRIKE>";
$e = "</STRIKE>";
}
- $realname ||= "<FONT COLOR=\"red\">missing</FONT>";
+ $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
print "<TR>\n";
print " <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=edit&user=", url_quote($user), "\"><B>$s$user$e</B></A></TD>\n";
print " <TD VALIGN=\"top\">$s$realname$e</TD>\n";
@@ -542,7 +542,7 @@ if ($action eq 'del') {
WHERE login_name=" . SqlQuote($user));
my ($realname, $groupset) =
FetchSQLData();
- $realname ||= "<FONT COLOR=\"red\">missing</FONT>";
+ $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
print "<TABLE BORDER=1 CELLPADDING=4 CELLSPACING=0>\n";
print "<TR BGCOLOR=\"#6666FF\">\n";