From e3b242e4d807ebb0dbcc87a73fce53549e13135e Mon Sep 17 00:00:00 2001
From: Christian Boltz <postfixadmin@cboltz.de>
Date: Wed, 11 Jan 2012 21:46:41 +0000
Subject: [PATCH] flash_error.tpl: - html-escape flash_info() / flash_error()
 messages to fix XSS if the   message contains user-supplied input   (thanks
 to Filippo Cavallarin for the report)

Note: This will cause ugly output for some german error messages which
contain &uuml; etc., and the warning message in backup.php (with some
HTML tags included) will also look totally ugly.
Nevertheless, that's still better than XSS attacks ;-)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1331 a1433add-5e2c-0410-b055-b7f2511e0802
---
 templates/flash_error.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/flash_error.tpl b/templates/flash_error.tpl
index 61fdbd75..264139cf 100644
--- a/templates/flash_error.tpl
+++ b/templates/flash_error.tpl
@@ -5,14 +5,14 @@
 			{if isset($smarty.session.flash.info)}
 				<ul class="flash-info">
 					{foreach from=$smarty.session.flash.info item=msg}
-						<li>{$msg}</li>
+						<li>{$msg|escape:html}</li>
 					{/foreach}
 				</ul>
 			{/if}
 			{if isset($smarty.session.flash.error)}
 				<ul class="flash-error">
 					{foreach from=$smarty.session.flash.error item=msg}
-						<li>{$msg}</li>
+						<li>{$msg|escape:html}</li>
 					{/foreach}
 				</ul>
 			{/if}