Fix a few XSS-ish issues.
authorSteinar H. Gunderson <sesse@debian.org>
Wed, 25 Jul 2007 11:12:22 +0000 (13:12 +0200)
committerSteinar H. Gunderson <sesse@debian.org>
Wed, 25 Jul 2007 11:12:22 +0000 (13:12 +0200)
perl/Sesse/pr0n/Common.pm
perl/Sesse/pr0n/Index.pm

index e12e8dc53efa85bba94a5a3221c37ab58025980f..073996f187bc06783d1dc8ac8c27019e6974d691 100644 (file)
@@ -24,6 +24,7 @@ use LWP::Simple;
 # use Image::Info;
 use Image::ExifTool;
 use HTML::Entities;
+use URI::Escape;
 
 BEGIN {
        use Exporter ();
@@ -130,8 +131,11 @@ sub get_query_string {
                next unless defined($value);
                next if (defined($defparam->{$key}) && $value == $defparam->{$key});
 
-               # FIXME: We'll need to escape _ here somehow
-               $value =~ s/ /_/g;
+               $value = URI::Escape::uri_escape($value);
+
+               # Unescape a few for prettiness (we'll need something for a real _, though)
+               $value =~ s/%20/_/g;
+               $value =~ s/%2F/\//g;
        
                $str .= ($first) ? "?" : ';';
                $str .= "$key=$value";
index b8b954f4be2880d6ac71825944ed3857775e2809..b8825bdb748fd0e6ddd01902737d52546d4e89a5 100644 (file)
@@ -251,6 +251,7 @@ sub handler {
                                for my $e (@equipment) {
                                        my $eqspec = $e->{'model'};
                                        $eqspec .= ', ' . $e->{'lens'} if (defined($e->{'lens'}));
+                                       $eqspec = HTML::Entities::encode_entities($eqspec);
 
                                        my %newsettings = %defsettings;