From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Tue, 17 May 2022 12:48:27 +0000 (+0200)
Subject: html formatter: encode href attributes
X-Git-Url: https://git.proxmox.com/?p=pve-http-server.git;a=commitdiff_plain;h=00661f1223b7c0afffa64e1d91f5e018b985f762

html formatter: encode href attributes

these contain untrusted data, so treat them accordingly.

Reported-by: Li, Jian Tao <li.jiantao@starlabs.sg>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 678173500899411f4b670356f4ec266e3525823d)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/src/PVE/APIServer/Formatter/HTML.pm b/src/PVE/APIServer/Formatter/HTML.pm
index 743d0ad..80617ca 100644
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@@ -91,7 +91,7 @@ sub render_page {
 	text => 'Home'}};
 
     foreach my $comp (@pcomp) {
-	$href .= "/$comp";
+	$href .= "/".encode_entities($comp);
 	push @$items, { tag => 'li', cn => {
 	    tag => 'a',
 	    href => $href,
@@ -214,7 +214,7 @@ PVE::APIServer::Formatter::register_formatter($portal_format, sub {
 		    push @$items, {
 			tag => 'a',
 			class => 'list-group-item',
-			href => "$path/$value",
+			href => "$path/".encode_entities($value),
 			cn => [
 			    {
 				tag => 'h4',