16 lines
671 B
Tcl
16 lines
671 B
Tcl
$NetBSD: patch-modules_html_html.tcl,v 1.1 2015/03/21 17:14:04 bsiegert Exp $
|
|
|
|
html - Fixed XSS vulnerability of "textarea" command. Now properly quoting the input value.
|
|
http://core.tcl.tk/tcllib/info/09110adc43
|
|
|
|
--- modules/html/html.tcl.orig 2015-03-21 17:08:44.000000000 +0000
|
|
+++ modules/html/html.tcl
|
|
@@ -912,7 +912,7 @@ proc ::html::selectPlain {name param cho
|
|
# The html fragment
|
|
|
|
proc ::html::textarea {name {param {}} {current {}}} {
|
|
- ::set value [ncgi::value $name $current]
|
|
+ ::set value [quoteFormValue [ncgi::value $name $current]]
|
|
return "<[string trimright \
|
|
"textarea name=\"$name\"\
|
|
[tagParam textarea $param]"]>$value</textarea>\n"
|