[checkmk-commits] Check_MK Git: check_mk: FIX: quote HTML variable names, fixes potential JS injection

Module: check_mk Branch: master Commit: 34b7c6d87bc65778bc992314672afe23c3cbe923 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=34b7c6d87bc657… Author: Mathias Kettner &lt;mk(a)mathias-kettner.de&gt; Date: Thu Dec 20 15:10:31 2012 +0100 FIX: quote HTML variable names, fixes potential JS injection --- ChangeLog | 1 + web/htdocs/htmllib.py | 2 +- 2 files changed, 2 insertions(+), 1 deletions(-) diff --git a/ChangeLog b/ChangeLog index d2d11c0..371a5f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -67,6 +67,7 @@ * FIX: Main Frame without sidebar: reload after activate changes * FIX: output_format json: handle newlines correctly * FIX: handle ldap logins with ',' in distinguished name + * FIX: quote HTML variable names, fixes potential JS injection WATO: * FIX: Fixed generated manual check definitions for checks without items diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index af25c4c..8f519a6 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -330,7 +330,7 @@ class html: def hidden_field(self, var, value, id = None, add_var = False): if value != None: id = id and ' id="%s"' % id or '' - self.write("<input type=hidden name=%s value=\"%s\"%s>" % (var, attrencode(value), id)) + self.write("<input type=hidden name=\"%s\" value=\"%s\"%s>" % (attrencode(var), attrencode(value), id)) if add_var: self.add_form_var(var)