From 45ae7958715485c1c9eaaec28064639b7a284646 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Piotr=20Paw=C5=82ow?= <pp@siedziba.pl>
Date: Mon, 7 Jul 2014 12:10:36 +0200
Subject: [PATCH 1/2] Use html_escape to quote ui_textbox name / value HTML
 attributes

---
 ui-lib.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ui-lib.pl b/ui-lib.pl
index 46ae21a3a..3d907d843 100755
--- a/ui-lib.pl
+++ b/ui-lib.pl
@@ -718,8 +718,8 @@ sub ui_textbox
 return &theme_ui_textbox(@_) if (defined(&theme_ui_textbox));
 my ($name, $value, $size, $dis, $max, $tags) = @_;
 $size = &ui_max_text_width($size);
-return "<input class='ui_textbox' type='text' name=\"".&quote_escape($name)."\" ".
-       "value=\"".&quote_escape($value)."\" ".
+return "<input class='ui_textbox' type='text' name=\"".&html_escape($name)."\" ".
+       "value=\"".&html_escape($value)."\" ".
        "size=$size".($dis ? " disabled=true" : "").
        ($max ? " maxlength=$max" : "").
        ($tags ? " ".$tags : "").">";

From 1d6c3fbc756d9310cc6702ed9e72e825f34f236d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Piotr=20Paw=C5=82ow?= <pp@siedziba.pl>
Date: Mon, 7 Jul 2014 13:12:48 +0200
Subject: [PATCH 2/2] Use encodeURIComponent() instead of escape()

Reasons being:
- escape() is deprecated.
- escape() uses non-standard %u encoding, which isn't decoded properly by chooser.cgi.
- encodeURIComponent() uses UTF-8, which isn't decoded properly by chooser.cgi either,
  but at least is has a chance of matching the page / filesystem encoding and working
  properly.
---
 web-lib-funcs.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 3bba397aa..220ec2d2a 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -1703,7 +1703,7 @@ my ($w, $h) = (400, 300);
 if ($gconfig{'db_sizefile'}) {
 	($w, $h) = split(/x/, $gconfig{'db_sizefile'});
 	}
-return "<input type=button onClick='ifield = form.$_[0]; chooser = window.open(\"$gconfig{'webprefix'}/chooser.cgi?add=$add&type=$_[1]&chroot=$chroot&file=\"+escape(ifield.value), \"chooser\", \"toolbar=no,menubar=no,scrollbars=no,resizable=yes,width=$w,height=$h\"); chooser.ifield = ifield; window.ifield = ifield' value=\"...\">\n";
+return "<input type=button onClick='ifield = form.$_[0]; chooser = window.open(\"$gconfig{'webprefix'}/chooser.cgi?add=$add&type=$_[1]&chroot=$chroot&file=\"+encodeURIComponent(ifield.value), \"chooser\", \"toolbar=no,menubar=no,scrollbars=no,resizable=yes,width=$w,height=$h\"); chooser.ifield = ifield; window.ifield = ifield' value=\"...\">\n";
 }
 
 =head2 popup_window_button(url, width, height, scrollbars?, &field-mappings)