From c80f09165ba5c1e7045b88e12e5ef73e4e70595a Mon Sep 17 00:00:00 2001
From: Stefan Ritt <stefan.ritt@psi.ch>
Date: Thu, 6 Sep 2007 19:28:30 +0000
Subject: [PATCH] Fixed XSS vulnerability with subtext

SVN revision: 1913
---
 src/elogd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/elogd.c b/src/elogd.c
index 679d9fcb..54c710f5 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -17372,8 +17372,10 @@ void show_page_filters(LOGBOOK * lbs, int n_msg, int page_n, BOOL mode_commands,
                       ("<input onClick=\"this.value='';\" title=\"%s\" type=text onChange=\"document.form1.submit()\"",
                        str);
                   sprintf(str, "-- %s --", list[index]);
-                  rsprintf(" name=\"%s\" value=\"%s\">\n", list[index],
-                           isparam(list[index]) && *getparam(list[index]) ? getparam(list[index]) : str);
+                  if (isparam(list[index]) && *getparam(list[index]))
+                     strencode2(str, getparam(list[index]), sizeof(str));
+
+                  rsprintf(" name=\"%s\" value=\"%s\">\n", list[index], str);
                }
             } else {