From 0ce1fd1e8663e8d7c95b53af17d55aba782c26de Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Mon, 27 Feb 2017 00:22:19 +0100
Subject: [PATCH] eg/plpinfo: escape html characters in dumped fields

Support special characters in environment and user input values.
Closes XSS vector if public.
---
 eg/plpinfo.plp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/eg/plpinfo.plp b/eg/plpinfo.plp
index f25dc76..e22ca84 100644
--- a/eg/plpinfo.plp
+++ b/eg/plpinfo.plp
@@ -58,7 +58,7 @@ printf "<tr><th>%s</th><td>%s</td></tr>\n", @$_ for (
 <:
 s/(?<=,)/<wbr>/g for values %ENV; # allow breaks at commas (HTTP_ACCEPT*)
 printf("<tr><th>%s</th><td>%s</td></tr>\n",
-	$_, defined $ENV{$_} ? $ENV{$_} : "<i>no value</i>"
+	$_, defined $ENV{$_} ? EscapeHTML($ENV{$_}) : "<i>no value</i>"
 ) for sort keys %ENV;
 :></table>
 
@@ -68,7 +68,7 @@ printf("<tr><th>%s</th><td>%s</td></tr>\n",
 <:
 for my $var (qw[ get post cookies header ]) {
 	printf("<tr><th>%s{'%s'}</th><td>%s</td></tr>\n",
-		$var, $_, defined $$var{$_} ? $$var{$_} : "<i>no value</i>"
+		$var, $_, defined $$var{$_} ? EscapeHTML($$var{$_}) : "<i>no value</i>"
 	) for sort keys %$var;
 }
 :></table>
-- 
2.30.0