tags 780100 + patch
thanks
Hi Moritz,
On Mon, Mar 9, 2015 at 1:29 PM, Moritz Muehlenhoff <j...@inutil.org> wrote:
>
> Hi,
> please see
> https://www.sektioneins.de/en/advisories/advisory-012015-xss-tcllib-html-textarea.html
>
> It would be nice if we could get that fixed in jessie.
Well, the patch is quite simple. Should I prepare the full upload?
Cheers!
--
Sergei Golovan
Author: upstream
Description: Patch fixes an XSS vulnerability in <textarea/> HTML element in
the html Tcllib module
Last-Modified: Mon, 09 Mar 2015 15:06:15 +0300
--- a/modules/html/html.tcl
+++ b/modules/html/html.tcl
@@ -912,7 +912,7 @@
# The html fragment
proc ::html::textarea {name {param {}} {current {}}} {
- ::set value [ncgi::value $name $current]
+ ::set value [quoteFormValue [ncgi::value $name $current]]
return "<[string trimright \
"textarea name=\"$name\"\
[tagParam textarea $param]"]>$value</textarea>\n"
