From d2895af6fc01b5e782e1a71cf3604cea13cbcf9f Mon Sep 17 00:00:00 2001
From: "preed%sigkill.com" <>
Date: Sat, 1 Jun 2002 16:26:25 +0000
Subject: Bug 147486 - Fixes cross site scripting issues; first checked in on
 the 2.14.1 branch, but I forgot the 2.16 branch/trunk (thanks bbaetz);
 patch=preed, r=bbaetz,myk

---
 editusers.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'editusers.cgi')

diff --git a/editusers.cgi b/editusers.cgi
index 06c293e2d..ebc07f2e4 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -343,7 +343,7 @@ if ($action eq 'list') {
             $s = "<STRIKE>";
             $e = "</STRIKE>";
         }
-        $realname ||= "<FONT COLOR=\"red\">missing</FONT>";
+        $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
         print "<TR>\n";
         print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=edit&user=", url_quote($user), "\"><B>$s$user$e</B></A></TD>\n";
         print "  <TD VALIGN=\"top\">$s$realname$e</TD>\n";
@@ -542,7 +542,7 @@ if ($action eq 'del') {
              WHERE login_name=" . SqlQuote($user));
     my ($realname, $groupset) = 
       FetchSQLData();
-    $realname ||= "<FONT COLOR=\"red\">missing</FONT>";
+    $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
     
     print "<TABLE BORDER=1 CELLPADDING=4 CELLSPACING=0>\n";
     print "<TR BGCOLOR=\"#6666FF\">\n";
-- 
cgit v1.2.3-24-g4f1b