cgi: Clean the user supplied $lang
authorWerner Koch <wk@gnupg.org>
Sun, 14 May 2017 10:49:34 +0000 (12:49 +0200)
committerWerner Koch <wk@gnupg.org>
Sun, 14 May 2017 10:49:34 +0000 (12:49 +0200)
cgi/procdonate.cgi

index 62dfd7b..c6dc026 100755 (executable)
@@ -112,9 +112,11 @@ sub write_template ($) {
     $mail =~ s/\x22/\x27/g;
     $message =~ s/\x22/\x27/g;
     $separef =~ s/\x22/\x27/g;
+    $lang =~ s/\x22/\x27/g;
 
     # Clean possible user provided data
     $sessid =~ s/</\x26lt;/g;
+    $lang =~ s/</\x26lt;/g;
     $amount =~ s/</\x26lt;/g;
     $stripeamount =~ s/</\x26lt;/g;
     $currency =~ s/</\x26lt;/g;