Escape uploaded path

2026-05-04 22:30:33 +01:00 · 2017-12-25 23:09:44 -08:00
parent 645a2d3067
commit ce5d99fe6b
1 changed files with 2 additions and 1 deletions
--- a/updown/upload.cgi
+++ b/updown/upload.cgi
@@ -70,7 +70,8 @@ for($i=0; defined($in{"upload$i"}); $i++) {
 		else {
 			$path = $in{'dir'};
 			}
-		print &text('upload_saving', "<tt>$path</tt>"),"<br>\n";
+		print &text('upload_saving',
+			    "<tt>".&html_escape($path)."</tt>"),"<br>\n";
 		if (!&open_tempfile(FILE, ">$path", 1)) {
 			&error(&text('upload_eopen', "<tt>$path</tt>", $!));
 			}