[checkmk-commits] Check_MK Git: check_mk: FIX: quote HTML variable names, fixes potential JS injection

Module: check_mk Branch: master Commit: d87d0215c125ee0b62e6224b809817955c359246 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d87d0215c125ee… Author: Mathias Kettner &lt;mk(a)mathias-kettner.de&gt; Date: Thu Dec 20 15:10:31 2012 +0100 FIX: quote HTML variable names, fixes potential JS injection --- web/htdocs/htmllib.py | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index af25c4c..8f519a6 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -330,7 +330,7 @@ class html: def hidden_field(self, var, value, id = None, add_var = False): if value != None: id = id and ' id="%s"' % id or '' - self.write("<input type=hidden name=%s value=\"%s\"%s>" % (var, attrencode(value), id)) + self.write("<input type=hidden name=\"%s\" value=\"%s\"%s>" % (attrencode(var), attrencode(value), id)) if add_var: self.add_form_var(var)