Index: info2html1.1/info2html
===================================================================
--- info2html1.1.orig/info2html
+++ info2html1.1/info2html
@@ -47,7 +47,7 @@ $FTAG = '[^\)]+'; #-- p
# not accessible.
#---------------------------------------------------------
sub DieFileNotFound{
- local($FileName) = @_;
+ local($FileName) = &XssEscape(@_);
#-- TEXT : error message if a file could not be opened
print <
@@ -110,6 +110,28 @@ sub DeEscape{
}
#----------------------------------------------------------
+# XssEscape
+#----------------------------------------------------------
+sub XssEscape {
+ local($Tag) = @_;
+ #-- output escaping is required to protect browser
+ # against `cross site' and `cross frame scripting'
+
+ $Tag =~ s/&/&/gs; # ampersand
+ $Tag =~ s/#/#/gs;
+ $Tag =~ s/;/;/gs;
+ $Tag =~ s/[\000-\037\200-\237]/¿/gs;
+ $Tag =~ s//>/gs; # greater-than symbol
+ $Tag =~ s/"/"/gs; # double quote
+ $Tag =~ s/\240/ /gs; # non-breaking space
+ $Tag =~ s/\255//gs; # soft hyphen
+ # the rest is interpreted
+ # as ISO 8859-1
+ $Tag;
+}
+
+#----------------------------------------------------------
# ParsHeaderToken
#----------------------------------------------------------
# Parses the heaer line of an info node for a specific
@@ -470,6 +492,8 @@ EOF
#----------------------------------------------------------
sub ReplyNotFoundMessage{
local($FileName,$Tag) = @_;
+ $FileName = &XssEscape($FileName);
+ $Tag = &XssEscape($Tag);
print <
Info Files - Error Message