XSS

author Ivan Kohler <ivan@freeside.biz>

Thu, 9 Oct 2014 18:11:27 +0000 (11:11 -0700)

committer Ivan Kohler <ivan@freeside.biz>

Thu, 9 Oct 2014 18:11:27 +0000 (11:11 -0700)
author Ivan Kohler <ivan@freeside.biz>
Thu, 9 Oct 2014 18:11:27 +0000 (11:11 -0700)
committer Ivan Kohler <ivan@freeside.biz>
Thu, 9 Oct 2014 18:11:27 +0000 (11:11 -0700)
diff --git a/httemplate/browse/part_event.html b/httemplate/browse/part_event.html

index 575294e..4b95b86 100644 (file)
--- a/httemplate/browse/part_event.html
+++ b/httemplate/browse/part_event.html
@@ -175,8 +175,10 @@ my $html_init =
    '&nbsp;or&nbsp;<SELECT NAME="clone"><OPTION></OPTION>';
  
  foreach my $part_event ( qsearch('part_event', {'disabled'=>''}) ) {
-  $html_init .=  '<OPTION VALUE="'. $part_event->eventpart. '">'.
-                  $part_event->eventpart. ': '. $part_event->event. '</OPTION>';
+  $html_init .= '<OPTION VALUE="'. $part_event->eventpart. '">'.
+                  $part_event->eventpart. ': '. 
+                  encode_entities($part_event->event).
+                '</OPTION>';
  }
  
  $html_init .= '</SELECT><INPUT TYPE="submit" VALUE="Clone existing event">'.
author	Ivan Kohler <ivan@freeside.biz>
	Thu, 9 Oct 2014 18:11:27 +0000 (11:11 -0700)
committer	Ivan Kohler <ivan@freeside.biz>
	Thu, 9 Oct 2014 18:11:27 +0000 (11:11 -0700)