From 969c938b31bb6c8df03f476cc957d05a573ba10c Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Sun, 24 Feb 2008 22:01:21 +0000
Subject: [PATCH] XSS protection

---
 postgresql/index.cgi | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/postgresql/index.cgi b/postgresql/index.cgi
index 33b364484..b48b0b3b2 100755
--- a/postgresql/index.cgi
+++ b/postgresql/index.cgi
@@ -156,14 +156,15 @@ else {
 		@titles = grep { /\Q$in{'search'}\E/i } @titles;
 		print "<table width=100%><tr>\n";
 		print "<td> <b>",&text('index_showing',
-			"<tt>$in{'search'}</tt>"),"</b></td>\n";
+		    "<tt>".&html_escape($in{'search'})."</tt>"),"</b></td>\n";
 		print "<td align=right><a href='index.cgi'>",
 			"$text{'view_searchreset'}</a></td>\n";
 		print "</tr></table>\n";
 		}
 	elsif ($in{'show'}) {
 		# Limit to specific databases
-		@titles = split(/\0/, $in{'show'});
+		%show = map { $_, 1 } split(/\0/, $in{'show'});
+		@titles = grep { $show{$_} } @titles;
 		}
 
 	# List the databases