From 3936dc6ec13ffa4aba8209210cc935ce3322f219 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Fri, 15 Feb 2008 00:11:09 +0000
Subject: [PATCH] XSS protection

---
 mount/nfs_export.cgi | 5 +++--
 mount/nfs_server.cgi | 1 +
 mount/smb_server.cgi | 1 +
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/mount/nfs_export.cgi b/mount/nfs_export.cgi
index b12f36f32..95e870dd8 100755
--- a/mount/nfs_export.cgi
+++ b/mount/nfs_export.cgi
@@ -2,9 +2,10 @@
 # nfs_export.cgi
 # Display a list of NFS exports on some host for the user to choose from
 
+$trust_unknown_referers = 1;
 require './mount-lib.pl';
 &ReadParse();
-&popup_header(&text('nfs_choose', $in{'server'}));
+&popup_header(&text('nfs_choose', &html_escape($in{'server'})));
 print <<EOF;
 <script>
 function choose(f)
@@ -16,7 +17,7 @@ window.close();
 EOF
 
 if ($error = &exports_list($in{'server'}, \@dirs, \@clients)) {
-	print "<b>",&text('nfs_failed', $in{'server'},
+	print "<b>",&text('nfs_failed', &html_escape($in{'server'}),
 			  "<p><tt>$error</tt><p>"),"</b>\n";
 	exit;
 	}
diff --git a/mount/nfs_server.cgi b/mount/nfs_server.cgi
index 9b5e5cb1a..092f891d0 100755
--- a/mount/nfs_server.cgi
+++ b/mount/nfs_server.cgi
@@ -3,6 +3,7 @@
 # Called in a pop-up javascript window to display a list of known NFS
 # servers, generated by broadcasting on the NFS port
 
+$trust_unknown_referers = 1;
 require './mount-lib.pl';
 use Socket;
 &popup_header($text{'nfs_server'});
diff --git a/mount/smb_server.cgi b/mount/smb_server.cgi
index 39614db98..20cd98e55 100755
--- a/mount/smb_server.cgi
+++ b/mount/smb_server.cgi
@@ -3,6 +3,7 @@
 # Called in a pop-up javascript window to display a list of known SMB
 # servers, by calling smbclient to request the browse list from some server
 
+$trust_unknown_referers = 1;
 require './mount-lib.pl';
 use Socket;
 &popup_header($text{'smb_choose'});