XSS

author: Ivan Kohler <ivan@freeside.biz> 2014-10-09 11:11:31 -0700
committer: Ivan Kohler <ivan@freeside.biz> 2014-10-09 11:11:31 -0700
commit: 81ccfc6f631270015f2ae11d4019c4b8b9ce7514 (patch)
tree: 8cf9a3cda8d12ae0b97b631b80f637eae34ba5c8
parent: 05a99e84eb795dcf19cda5133a4a89a1976fedfc (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/httemplate/browse/part_event.html b/httemplate/browse/part_event.html
index ba036c8c6..d2e69460e 100644
--- a/httemplate/browse/part_event.html
+++ b/httemplate/browse/part_event.html
@@ -175,8 +175,10 @@ my $html_init =
   '&nbsp;or&nbsp;<SELECT NAME="clone"><OPTION></OPTION>';
 
 foreach my $part_event ( qsearch('part_event', {'disabled'=>''}) ) {
-  $html_init .=  '<OPTION VALUE="'. $part_event->eventpart. '">'.
-                  $part_event->eventpart. ': '. $part_event->event. '</OPTION>';
+  $html_init .= '<OPTION VALUE="'. $part_event->eventpart. '">'.
+                  $part_event->eventpart. ': '. 
+                  encode_entities($part_event->event).
+                '</OPTION>';
 }
 
 $html_init .= '</SELECT><INPUT TYPE="submit" VALUE="Clone existing event">'.
author	Ivan Kohler <ivan@freeside.biz>	2014-10-09 11:11:31 -0700
committer	Ivan Kohler <ivan@freeside.biz>	2014-10-09 11:11:31 -0700
commit	81ccfc6f631270015f2ae11d4019c4b8b9ce7514 (patch)
tree	8cf9a3cda8d12ae0b97b631b80f637eae34ba5c8
parent	05a99e84eb795dcf19cda5133a4a89a1976fedfc (diff)