From 55a8843edf83f27547ff1efda2075518d7b60d75 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Sat, 5 Jul 2014 10:47:49 -0700
Subject: [PATCH] Also need HTML escaping when printing output

---
 group_chooser.cgi | 8 ++++++--
 user_chooser.cgi  | 9 +++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/group_chooser.cgi b/group_chooser.cgi
index f0d240962..93cbea047 100755
--- a/group_chooser.cgi
+++ b/group_chooser.cgi
@@ -111,10 +111,14 @@ top.sel = sel2; top.selr = selr2;
 location = location;
 return false;
 }
+function html_escape(s)
+{
+return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
 for(i=0; i<top.sel.length; i++) {
 	document.write("<tr>\n");
-	document.write("<td><a href=\"\" onClick='return sub("+i+")'>"+top.sel[i]+"</a></td>\n");
-	document.write("<td>"+top.selr[i]+"</td>\n");
+	document.write("<td><a href=\"\" onClick='return sub("+i+")'>"+html_escape(top.sel[i])+"</a></td>\n");
+	document.write("<td>"+html_escape(top.selr[i])+"</td>\n");
 	}
 </script>
 </table>
diff --git a/user_chooser.cgi b/user_chooser.cgi
index abc707abd..76b0c1d6e 100755
--- a/user_chooser.cgi
+++ b/user_chooser.cgi
@@ -2,6 +2,7 @@
 # user_chooser.cgi
 # This CGI generated the HTML for choosing a user or list of users.
 
+$trust_unknown_referers = 1;
 BEGIN { push(@INC, ".."); };
 use WebminCore;
 
@@ -102,10 +103,14 @@ top.sel = sel2; top.selr = selr2;
 top.frames[1].location = top.frames[1].location;
 return false;
 }
+function html_escape(s)
+{
+return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
 for(i=0; i<top.sel.length; i++) {
 	document.write("<tr>\n");
-	document.write("<td><a href=\"\" onClick='return sub("+i+")'>"+top.sel[i]+"</a></td>\n");
-	document.write("<td>"+top.selr[i]+"</td>\n");
+	document.write("<td><a href=\"\" onClick='return sub("+i+")'>"+html_escape(top.sel[i])+"</a></td>\n");
+	document.write("<td>"+html_escape(top.selr[i])+"</td>\n");
 	}
 </script>
 </table>