html formatter: encode href attributes

these contain untrusted data, so treat them accordingly. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-01-22 22:03:52 +03:00 · 2022-05-17 14:48:27 +02:00 · 2022-05-17 14:48:27 +02:00 · 6781735008
commit 6781735008
parent 34f20af260
1 changed files with 2 additions and 2 deletions
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@ -91,7 +91,7 @@ sub render_page {
 	text => 'Home'}};

    foreach my $comp (@pcomp) {
-	$href .= "/$comp";
+	$href .= "/".encode_entities($comp);
 	push @$items, { tag => 'li', cn => {
 	    tag => 'a',
 	    href => $href,
@ -214,7 +214,7 @@ PVE::APIServer::Formatter::register_formatter($portal_format, sub {
 		    push @$items, {
 			tag => 'a',
 			class => 'list-group-item',
-			href => "$path/$value",
+			href => "$path/".encode_entities($value),
 			cn => [
 			    {
 				tag => 'h4',