diff -u info2html-2.0-orig/info2html info2html-2.0/info2html
--- info2html-2.0-orig/info2html 2006-09-01 14:55:13.000000000 +0200
+++ info2html-2.0/info2html 2006-09-01 15:05:41.000000000 +0200
@@ -42,7 +42,7 @@
use CGI;
$ENV{'REQUEST_METHOD'} or
- print "Note: I'm really supposed to be run as a CGI!\n";
+ print "Note: I'm really supposed to be run as a CGI\!\n";
#-- patterns
$NODEBORDER = '\037\014?'; #-- delimiter of an info node
@@ -62,7 +62,7 @@
#---------------------------------------------------------
# Don't reveal where we're looking... --jonh 5/20/97 (and reapplied 5/4/1998)
sub DieFileNotFound{
- local($FileName) = @_;
+ local($FileName) = &XssEscape(@_);
#-- TEXT : error message if a file could not be opened
print <<"EOF";
Info Files - Error Message
@@ -104,6 +104,28 @@
}
#----------------------------------------------------------
+# XssEscape
+#----------------------------------------------------------
+sub XssEscape {
+ local($Tag) = @_;
+ #-- output escaping is required to protect browser
+ # against `cross site' and `cross frame scripting'
+
+ $Tag =~ s/&/&/gs; # ampersand
+ $Tag =~ s/#/#/gs;
+ $Tag =~ s/;/;/gs;
+ $Tag =~ s/[\000-\037\177-\237]/¿/gs; # "ctrl" codes 0-31 and 127-159
+ $Tag =~ s/</gs; # less-than symbol
+ $Tag =~ s/>/>/gs; # greater-than symbol
+ $Tag =~ s/"/"/gs; # double quote
+ $Tag =~ s/\240/ /gs; # non-breaking space
+ $Tag =~ s/\255//gs; # soft hyphen
+ # the rest is interpreted
+ # as ISO 8859-1
+ $Tag;
+}
+
+#----------------------------------------------------------
# ParsHeaderToken
#----------------------------------------------------------
# Parses the heaer line of an info node for a specific
@@ -493,6 +515,8 @@
#----------------------------------------------------------
sub ReplyNotFoundMessage{
local($FileName,$Tag) = @_;
+ $FileName = &XssEscape($FileName);
+ $Tag = &XssEscape($Tag);
print <<"EOF";
Info Files - Error Message
$BOTS_STAY_AWAY
Only in info2html-2.0: info2html.orig
Only in info2html-2.0: info2html.rej