From: Steinar H. Gunderson <sesse@debian.org>
Date: Wed, 25 Jul 2007 11:12:22 +0000 (+0200)
Subject: Fix a few XSS-ish issues.
X-Git-Url: https://git.sesse.net/?p=pr0n;a=commitdiff_plain;h=927b8258de3030178d59304b9b45648930482d49

Fix a few XSS-ish issues.
---

diff --git a/perl/Sesse/pr0n/Common.pm b/perl/Sesse/pr0n/Common.pm
index e12e8dc..073996f 100644
--- a/perl/Sesse/pr0n/Common.pm
+++ b/perl/Sesse/pr0n/Common.pm
@@ -24,6 +24,7 @@ use LWP::Simple;
 # use Image::Info;
 use Image::ExifTool;
 use HTML::Entities;
+use URI::Escape;
 
 BEGIN {
 	use Exporter ();
@@ -130,8 +131,11 @@ sub get_query_string {
 		next unless defined($value);
 		next if (defined($defparam->{$key}) && $value == $defparam->{$key});
 
-		# FIXME: We'll need to escape _ here somehow
-		$value =~ s/ /_/g;
+		$value = URI::Escape::uri_escape($value);
+
+		# Unescape a few for prettiness (we'll need something for a real _, though)
+		$value =~ s/%20/_/g;
+		$value =~ s/%2F/\//g;
 	
 		$str .= ($first) ? "?" : ';';
 		$str .= "$key=$value";
diff --git a/perl/Sesse/pr0n/Index.pm b/perl/Sesse/pr0n/Index.pm
index b8b954f..b8825bd 100644
--- a/perl/Sesse/pr0n/Index.pm
+++ b/perl/Sesse/pr0n/Index.pm
@@ -251,6 +251,7 @@ sub handler {
 				for my $e (@equipment) {
 					my $eqspec = $e->{'model'};
 					$eqspec .= ', ' . $e->{'lens'} if (defined($e->{'lens'}));
+					$eqspec = HTML::Entities::encode_entities($eqspec);
 
 					my %newsettings = %defsettings;