Overview

File tcllib-1.16-textarea.patch of Package tcllib

Index: modules/html/html.tcl
==================================================================
--- modules/html/html.tcl
+++ modules/html/html.tcl
@@ -912,7 +912,7 @@ proc ::html::selectPlain {name param cho
 #	The html fragment
 
 proc ::html::textarea {name {param {}} {current {}}} {
-    ::set value [ncgi::value $name $current]
+    ::set value [quoteFormValue [ncgi::value $name $current]]
     return "<[string trimright \
 	"textarea name=\"$name\"\
 		[tagParam textarea $param]"]>$value</textarea>\n"
Index: modules/html/html.test
==================================================================
--- modules/html/html.test
+++ modules/html/html.test
@@ -453,6 +453,17 @@ test html-23.2 {html::textarea} {
 } {<textarea name="info" cols="50" rows="8">The textarea value.</textarea>
 }
 
+test html-23.3 {html::textarea, dangerous input} {
+    html::init {
+	textarea.cols 50
+	textarea.rows 8
+    }
+    ncgi::reset info=[ncgi::encode "</textarea><script>alert(1)</script>"]
+    ncgi::parse
+    html::textarea info
+} {<textarea name="info" cols="50" rows="8">&lt;/textarea&gt;&lt;script&gt;alert(1)&lt;/script&gt;</textarea>
+}
+
 test html-24.1 {html::submit} {
     catch {html::submit}
 } {1}
openSUSE Build Service is sponsored by
Places