diff --git a/mysql/search_form.cgi b/mysql/search_form.cgi
index c77ed57ba..90d9aa49a 100755
--- a/mysql/search_form.cgi
+++ b/mysql/search_form.cgi
@@ -27,7 +27,7 @@ for($i=0; $i<10; $i++) {
[ [ "", " " ],
map { [ $_->{'field'}, $_->{'field'} ] } @str ]),"\n";
print "| ",&ui_select("match_$i", 0,
- [ map { [ $_, $text{'view_match'.$_} ] } (0.. 3) ])," | \n";
+ [ map { [ $_, $text{'view_match'.$_} ] } (0.. 5) ]),"\n";
print "",&ui_textbox("for_$i", undef, 30)," | \n";
print "\n";
}
diff --git a/updown/download.cgi b/updown/download.cgi
index a6f54205f..1c4e2f22e 100755
--- a/updown/download.cgi
+++ b/updown/download.cgi
@@ -22,7 +22,7 @@ foreach $u (@urls) {
$host = $1; $page = $3;
}
else {
- &error(&text('download_eurl', $u));
+ &error(&text('download_eurl', &html_escape($u)));
}
if ($host =~ /^([^:\@]+):([^:\@]+)\@(\S+)/) {
$user = $1;
@@ -41,13 +41,14 @@ foreach $u (@urls) {
}
$in{'dir'} || &error($text{'upload_edir'});
&can_write_file($in{'dir'}) ||
- &error(&text('download_eaccess', "$in{'dir'}", $!));
+ &error(&text('download_eaccess',
+ "".&html_escape($in{'dir'})." : " . $!));
$download{'dir'} = $in{'dir'};
if ($can_mode != 3) {
# User can be entered
scalar(@uinfo = getpwnam($in{'user'})) || &error($text{'upload_euser'});
&can_as_user($in{'user'}) ||
- &error(&text('download_eucannot', $in{'user'}));
+ &error(&text('download_eucannot', &html_escape($in{'user'})));
$download{'uid'} = $uinfo[2];
$in{'group_def'} || scalar(@ginfo = getgrnam($in{'group'})) ||
&error($text{'upload_egroup'});
@@ -149,7 +150,7 @@ else {
}
}
if ($error) {
- print "",&text('download_failed', $error),"
\n";
+ print "
",&text('download_failed', &html_escape($error)),"
\n";
}
&ui_print_footer("index.cgi?mode=download", $text{'index_return'});