From 4abf62fe937bad9da70bb7a9b5718cc979a170f9 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 19 Oct 2025 20:12:57 +0100
Subject: [PATCH] Fix XSS vuln by escaping all variables in templates

---
 bcp5-registry.pl |  2 +-
 passwords.pl     |  2 +-
 utils.pl         | 27 ++++++++++++++++++---------
 3 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/bcp5-registry.pl b/bcp5-registry.pl
index 48047dc..2bd9e92 100755
--- a/bcp5-registry.pl
+++ b/bcp5-registry.pl
@@ -445,7 +445,7 @@ sub finish_error ($) {
 }
 
 sub finish () {
-    process_file('template.html');
+    process_file('template.html', 1);
     print $out or die $!;
     close STDOUT or die $!;
     exit 0;
diff --git a/passwords.pl b/passwords.pl
index 419b2ca..2dacdf2 100644
--- a/passwords.pl
+++ b/passwords.pl
@@ -57,7 +57,7 @@ sub make_password ($) {
 
 sub send_password ($) {
     $password= make_password($id);
-    process_file('notice.txt');
+    process_file('notice.txt', 0);
     open SM, "| /usr/sbin/sendmail -odb -oi -oee -f $nullemail -t" or die $!;
     print SM $out or die $!;
     close SM; $? and die $?;
diff --git a/utils.pl b/utils.pl
index 41dcff8..3528cb7 100644
--- a/utils.pl
+++ b/utils.pl
@@ -18,8 +18,8 @@
 
 open RAND,"/dev/urandom" or die $!;
 
-sub process_file ($) {
-    local ($filename) = @_;
+sub process_file ($$) {
+    local ($filename, $quote_html) = @_;
     
     open X, "$filename" or die "$filename: $!";
     @x= <X>;
@@ -31,7 +31,7 @@ sub process_file ($) {
     $cl= 0;
     $out= '';
     $level= -1;
-    process(1);
+    process(1, $quote_html);
 }
 
 sub randnybs ($) {
@@ -48,8 +48,8 @@ sub out ($) {
     $out.= $_[0]."\n";
 }
 
-sub process ($) {
-    my ($doing) = @_;
+sub process ($$) {
+    my ($doing, $quote_html) = @_;
     my ($bcl);
     $level++;
     for (;;) {
@@ -67,7 +67,7 @@ sub process ($) {
 		$do= !$do if $q eq 'ifnot';
 #		out("<!-- $level $doing $do $q $v $_ -->");
 	    }
-	    process($doing && $do);
+	    process($doing && $do, $quote_html);
 	} elsif (m/^\@\@\@foreach\:(area|db)\@\@\@$/) {
 	    if ($doing) {
 		$bcl= $cl;
@@ -75,16 +75,16 @@ sub process ($) {
 		     &{"foreach_cond_$1"};
 		     &{"foreach_incr_$1"}) {
 		    &{"foreach_setvars_$1"};
-		    process($doing);
+		    process($doing, $quote_html);
 		    $cl= $bcl;
 		}
 	    }
-	    process(0);
+	    process(0, $quote_html);
 	} elsif (m/^\@\@\@comment\:(\s.*)?$/) {
 	} elsif (m/\S/) {
 	    s/^\@\@\@$//;
 	    if ($doing) {
-		s/\@\@\@(\w+)\@\@\@/ getvar("$1") /ge;
+		s/\@\@\@(\w+)\@\@\@/ getvar_mightquote("$1", $quote_html) /ge;
 	        out($_);
 	    } else {
 		s/\@\@\@\w+\@\@\@//g;
@@ -101,6 +101,15 @@ sub getvar ($) {
     return $$vn;
 }
 
+sub getvar_mightquote ($$) {
+  my ($vn, $quote_html) = @_;
+  my $v = getvar($vn);
+  $v =~ s/\&/&amp;/g;  
+  $v =~ s/\</&lt;/g;  
+  $v =~ s/\>/&gt;/g;  
+  return $v;
+}
+
 %saniarray= ('<','lt', '>','gt', '&','amp', '"','quot');
 sub html_sani {
     local ($in) = @_;
-- 
2.30.2