Module: check_mk
Branch: master
Commit: 34b7c6d87bc65778bc992314672afe23c3cbe923
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=34b7c6d87bc657…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Thu Dec 20 15:10:31 2012 +0100
FIX: quote HTML variable names, fixes potential JS injection
---
ChangeLog | 1 +
web/htdocs/htmllib.py | 2 +-
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d2d11c0..371a5f5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -67,6 +67,7 @@
* FIX: Main Frame without sidebar: reload after activate changes
* FIX: output_format json: handle newlines correctly
* FIX: handle ldap logins with ',' in distinguished name
+ * FIX: quote HTML variable names, fixes potential JS injection
WATO:
* FIX: Fixed generated manual check definitions for checks without items
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index af25c4c..8f519a6 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -330,7 +330,7 @@ class html:
def hidden_field(self, var, value, id = None, add_var = False):
if value != None:
id = id and ' id="%s"' % id or ''
- self.write("<input type=hidden name=%s
value=\"%s\"%s>" % (var, attrencode(value), id))
+ self.write("<input type=hidden name=\"%s\"
value=\"%s\"%s>" % (attrencode(var), attrencode(value), id))
if add_var:
self.add_form_var(var)