proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-05-30 11:39:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

html formatter: encode href attributes

Browse Source 
these contain untrusted data, so treat them accordingly.

Reported-by: Li, Jian Tao <li.jiantao@starlabs.sg>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 6781735008)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2022-05-17 14:48:27 +02:00 committed by Thomas Lamprecht
parent cdaec513e0
commit 00661f1223
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/PVE/APIServer/Formatter/HTML.pm
View File

@ -91,7 +91,7 @@ sub render_page {
text => 'Home'}};
foreach my $comp (@pcomp) {
$href .= "/$comp";
$href .= "/".encode_entities($comp);
push @$items, { tag => 'li', cn => {
tag => 'a',
href => $href,
@ -214,7 +214,7 @@ PVE::APIServer::Formatter::register_formatter($portal_format, sub {
push @$items, {
tag => 'a',
class => 'list-group-item',
href => "$path/$value",
href => "$path/".encode_entities($value),
cn => [
{
tag => 'h4',