Author: sebastian Date: 2011-04-23 13:38:55 +0000 (Sat, 23 Apr 2011) New Revision: 24666

Modified: torstatus/trunk/web/index.php Log: Fix a an XSS opportunity due to missing sanitation of descriptor values when displaying the contact column. Issue discovered and patch submitted by tagnaq.

Modified: torstatus/trunk/web/index.php =================================================================== --- torstatus/trunk/web/index.php 2011-04-23 05:12:49 UTC (rev 24665) +++ torstatus/trunk/web/index.php 2011-04-23 13:38:55 UTC (rev 24666) @@ -759,7 +759,7 @@ $value == "Contact" ):

- echo "<td class='TDS'>" . $record[$value] . "</td>"; + echo "<td class='TDS'>" . htmlentities($record[$value], ENT_QUOTES) . "</td>"; break;

//case