From 1ade641d4492138b0590c5717b47b429fff83d8a Mon Sep 17 00:00:00 2001
From: "bugreport%peshkin.net" <>
Date: Sat, 10 Jul 2004 14:27:48 +0000
Subject: Bug 236650: html_quote and validate email addresses in editueser.cgi
 patch by vlad r=joel,justdave a=justdave

---
 editusers.cgi | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'editusers.cgi')

diff --git a/editusers.cgi b/editusers.cgi
index f7824e435..9dfc672d9 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -357,7 +357,7 @@ if ($action eq 'list') {
         }
         $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
         print "<TR>\n";
-        print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=edit&user=", url_quote($user), "\"><B>$s$user$e</B></A></TD>\n";
+        print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=edit&user=", url_quote($user), "\"><B>$s", html_quote($user), "$e</B></A></TD>\n";
         print "  <TD VALIGN=\"top\">$s$realname$e</TD>\n";
         if ($candelete) {
             print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=del&user=", url_quote($user), "\">Delete</A></TD>\n";
@@ -749,6 +749,14 @@ if ($action eq 'update') {
              WHERE login_name=" . SqlQuote($userold));
     my ($thisuserid) = FetchSQLData();
 
+    my $emailregexp = Param("emailregexp");
+    unless ($user =~ m/$emailregexp/) {
+        print "The user name entered must be a valid e-mail address. Please press\n";
+        print "<b>Back</b> and try again.\n";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
     my @grpadd = ();
     my @grpdel = ();
     my $chggrp = 0;
-- 
cgit v1.2.3-24-g4f1b