From 00661f1223b7c0afffa64e1d91f5e018b985f762 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Tue, 17 May 2022 14:48:27 +0200
Subject: [PATCH] html formatter: encode href attributes
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

these contain untrusted data, so treat them accordingly.

Reported-by: Li, Jian Tao <li.jiantao@starlabs.sg>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 678173500899411f4b670356f4ec266e3525823d)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/PVE/APIServer/Formatter/HTML.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/APIServer/Formatter/HTML.pm b/src/PVE/APIServer/Formatter/HTML.pm
index 743d0ad..80617ca 100644
--- a/src/PVE/APIServer/Formatter/HTML.pm
+++ b/src/PVE/APIServer/Formatter/HTML.pm
@@ -91,7 +91,7 @@ sub render_page {
 	text => 'Home'}};
 
     foreach my $comp (@pcomp) {
-	$href .= "/$comp";
+	$href .= "/".encode_entities($comp);
 	push @$items, { tag => 'li', cn => {
 	    tag => 'a',
 	    href => $href,
@@ -214,7 +214,7 @@ PVE::APIServer::Formatter::register_formatter($portal_format, sub {
 		    push @$items, {
 			tag => 'a',
 			class => 'list-group-item',
-			href => "$path/$value",
+			href => "$path/".encode_entities($value),
 			cn => [
 			    {
 				tag => 'h4',
-- 
2.39.2