From 8c1a9ff69598b1ec5d4eda67cab4ee063268eb3c Mon Sep 17 00:00:00 2001
From: Anton Berezin <tobez@FreeBSD.org>
Date: Tue, 30 Sep 2003 08:33:57 +0000
Subject: Add a patch to properly escape generated action attribute in
 CGI::start_form.  The escape code is taken from CGI.pm v.3.00.

PR:		57391
Reported by:	IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
---
 lang/perl5/files/patch-CGI.pm | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 lang/perl5/files/patch-CGI.pm

(limited to 'lang/perl5/files/patch-CGI.pm')

diff --git a/lang/perl5/files/patch-CGI.pm b/lang/perl5/files/patch-CGI.pm
new file mode 100644
index 000000000000..01410684a7ed
--- /dev/null
+++ b/lang/perl5/files/patch-CGI.pm
@@ -0,0 +1,15 @@
+--- lib/CGI.pm.orig	Tue Sep 30 10:16:33 2003
++++ lib/CGI.pm	Tue Sep 30 10:20:35 2003
+@@ -1497,8 +1497,10 @@ sub startform {
+     $method = lc($method) || 'post';
+     $enctype = $enctype || &URL_ENCODED;
+     unless (defined $action) {
+-       $action = $self->url(-absolute=>1,-path=>1);
+-       $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING};
++       $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1));
++       if (length($ENV{QUERY_STRING})>0) {
++           $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
++       }
+     }
+     $action = qq(action="$action");
+     my($other) = @other ? " @other" : '';
-- 
cgit v1.2.3