From 20b20c20f2d40ad2bc1cc2e164f0b6d3c92321dd Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Mon, 5 Sep 2011 16:56:09 +0200
Subject: web/template/login_form.php: Escape the request URI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Thomas Bächler <thomas@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/template/login_form.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'web')

diff --git a/web/template/login_form.php b/web/template/login_form.php
index 969a371..c27e9ba 100644
--- a/web/template/login_form.php
+++ b/web/template/login_form.php
@@ -11,7 +11,7 @@ elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']))
 		print "<span class='error'>" . $login_error . "</span><br />\n";
 	}
 ?>
-<form method="post" action="<?php echo $_SERVER['REQUEST_URI'] ?>">
+<form method="post" action="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) ?>">
 	<div>
 	<label for="user"><?php print __('Username') . ':'; ?></label>
 	<input type="text" name="user" id="user" size="30" maxlength="<?php print USERNAME_MAX_LEN; ?>" value="<?php
-- 
cgit v1.2.3-54-g00ecf