diff options
| author | justdave%syndicomm.com <> | 2001-07-04 16:05:59 +0200 |
|---|---|---|
| committer | justdave%syndicomm.com <> | 2001-07-04 16:05:59 +0200 |
| commit | f208e298e2ac9836c8138449a0691f6deb850c4a (patch) | |
| tree | a6735fb37995456992708da6408226c5188b198b /CGI.pl | |
| parent | a9ead7b9778b67cc02ef2b3df51d08a5f88d4d52 (diff) | |
| download | bugzilla-f208e298e2ac9836c8138449a0691f6deb850c4a.tar.gz bugzilla-f208e298e2ac9836c8138449a0691f6deb850c4a.tar.xz | |
Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML data
Patch by Gervase Markham <gervase.markham@univ.ox.ac.uk>
r= justdave@syndicomm.com
Diffstat (limited to 'CGI.pl')
| -rw-r--r-- | CGI.pl | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -659,7 +659,7 @@ sub quietly_check_login() { sub CheckEmailSyntax { my ($addr) = (@_); my $match = Param('emailregexp'); - if ($addr !~ /$match/) { + if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) { print "Content-type: text/html\n\n"; # For security, escape HTML special characters. @@ -669,8 +669,11 @@ sub CheckEmailSyntax { print "The e-mail address you entered\n"; print "(<b>$addr</b>) didn't match our minimal\n"; print "syntax checking for a legal email address.\n"; - print Param('emailregexpdesc'); - print "<p>Please click <b>back</b> and try again.\n"; + print Param('emailregexpdesc') . "\n"; + print "It must also not contain any of these special characters: " . + "<tt>\\ ( ) & < > , ; : \" [ ]</tt> " . + "or any whitespace.\n"; + print "<p>Please click <b>Back</b> and try again.\n"; PutFooter(); exit; } |