Le 22/07/2003 18:57, Lincoln Stein a écrit :
But this was fixed long ago in version 2.94. We're at version 2.98 now. The most up-to-date copy is always in CPAN.

Please find attached the patch against CGI.pm version 2.98.


--
Erwann Corvellec
--- CGI.pm.ori  2003-06-18 21:57:21.000000000 +0200
+++ CGI.pm      2003-07-23 09:53:18.000000000 +0200
@@ -1641,7 +1641,7 @@
     unless (defined $action) {
        $action = $self->url(-absolute=>1,-path=>1);
        if (length($ENV{QUERY_STRING})>0) {
-           $action .= "?$ENV{QUERY_STRING}";
+           $action .= '?' . $self->escapeHTML($ENV{QUERY_STRING},1);
        }
     }
     $action =~ s/\"/%22/g;  # fix cross-site scripting bug reported by obscure

Reply via email to