Fix for bug 95235: variables with untrusted content were being echoed back to the user in error messages. Those variables are now run through html_quote() first.

Patch by Gavin Shelley <gavins@iplbath.com> r= justdave@syndicomm.com
author: justdave%syndicomm.com <> 2001-08-25 02:32:24 +0200
committer: justdave%syndicomm.com <> 2001-08-25 02:32:24 +0200
commit: 549954949a402ba5bc84cfb83cda3d62a8e1a887 (patch)
tree: 64ac2ddb9c40844739db9ae9583cdbf41af9aa9b /process_bug.cgi
parent: 0fb6fdfab23fa6e82bce48af1b4872b0b5203425 (diff)
download: bugzilla-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar.gz
bugzilla-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/process_bug.cgi b/process_bug.cgi
index 82e9cb988..53ec8d9da 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -749,7 +749,8 @@ if ($::FORM{'keywords'}) {
         }
         my $i = GetKeywordIdFromName($keyword);
         if (!$i) {
-            PuntTryAgain("Unknown keyword named <code>$keyword</code>. " .
+            PuntTryAgain("Unknown keyword named <code>" .
+                         html_quote($keyword) . "</code>. " .
                          "<P>The legal keyword names are " .
                          "<A HREF=describekeywords.cgi>" .
                          "listed here</A>.");
author	justdave%syndicomm.com <>	2001-08-25 02:32:24 +0200
committer	justdave%syndicomm.com <>	2001-08-25 02:32:24 +0200
commit	549954949a402ba5bc84cfb83cda3d62a8e1a887 (patch)
tree	64ac2ddb9c40844739db9ae9583cdbf41af9aa9b /process_bug.cgi
parent	0fb6fdfab23fa6e82bce48af1b4872b0b5203425 (diff)
download	bugzilla-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar.gz bugzilla-549954949a402ba5bc84cfb83cda3d62a8e1a887.tar.xz