strip off html tags from updates

diff --git a/Util.pm b/Util.pm
index 371aae9..cb6cf82 100644 (file)
--- a/Util.pm
+++ b/Util.pm
@@ -278,6 +278,38 @@ sub CheckLatLong {
   }
 }
 
+sub FixParams {
+  my $query = shift;
+  my $key;
+  my @names = $query->param;
+
+  foreach $key (@names) { # web security is a joke ... <sigh>
+    $_ = $query->param($key);
+    s/&/&amp;/g; 
+    s/[<\x8B]/&lt;/g;
+    s/[>\x9B]/&gt;/g;
+
+    $query->param($key, $_);
+  }
+}   
+
+  
+sub LDAPUpdate {
+  my $ldap = shift;
+  my $dn = shift;
+  my $attr = shift;
+  my $val = shift;
+  my $mesg;
+  
+  if (!$val) {
+    $mesg = $ldap->modify($dn, delete => { $attr => [] });
+  } else {
+    $val = [ $val ] if (!ref($val));
+    $mesg = $ldap->modify($dn, replace => { $attr => $val });
+    $mesg->code && &Util::HTMLError("error updating $attr: ".$mesg->error);
+  }
+}
+
 ###################
 # Config file stuff
 sub ReadConfigFile {
@@ -301,20 +333,4 @@ sub ReadConfigFile {
   return %config;
 }
 
-sub LDAPUpdate {
-  my $ldap = shift;
-  my $dn = shift;
-  my $attr = shift;
-  my $val = shift;
-  my $mesg;
-  
-  if (!$val) {
-    $mesg = $ldap->modify($dn, delete => { $attr => [] });
-  } else {
-    $val = [ $val ] if (!ref($val));
-    $mesg = $ldap->modify($dn, replace => { $attr => $val });
-    $mesg->code && &Util::HTMLError("error updating $attr: ".$mesg->error);
-  }
-}
-
 1;

diff --git a/update.cgi b/update.cgi
index 1a92dce..9aabb33 100755 (executable)
--- a/update.cgi
+++ b/update.cgi
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 
-# $Id: update.cgi,v 1.7 2000/05/06 06:10:05 tausq Exp $
+# $Id: update.cgi,v 1.8 2000/05/13 18:39:05 tausq Exp $
 # (c) 1999 Randolph Chung. Licensed under the GPL. <tausq@debian.org>
 
 use lib '.';
@@ -94,6 +94,8 @@ if (!($query->param('doupdate'))) {
   # Actually update stuff...
   my ($newpassword, $newstaddress);
   
+  &Util::FixParams($query);
+
   if (($query->param('labeledurl')) && 
       ($query->param('labeledurl') !~ /^https?:\/\//i)) {
     &Util::HTMLError("Your homepage URL is invalid");