eg/plpinfo: escape html characters in dumped fields

Support special characters in environment and user input values.
Closes XSS vector if public.

diff --git a/eg/plpinfo.plp b/eg/plpinfo.plp
index f25dc767f7b79a1f4688526dd4fbafcb487af6e1..e22ca841348c7b9121a3ed24c3fba6d7ee24ac3e 100644 (file)
--- a/eg/plpinfo.plp
+++ b/eg/plpinfo.plp
@@ -58,7 +58,7 @@ printf "<tr><th>%s</th><td>%s</td></tr>\n", @$_ for (
 <:
 s/(?<=,)/<wbr>/g for values %ENV; # allow breaks at commas (HTTP_ACCEPT*)
 printf("<tr><th>%s</th><td>%s</td></tr>\n",
-       $_, defined $ENV{$_} ? $ENV{$_} : "<i>no value</i>"
+       $_, defined $ENV{$_} ? EscapeHTML($ENV{$_}) : "<i>no value</i>"
 ) for sort keys %ENV;
 :></table>
 
@@ -68,7 +68,7 @@ printf("<tr><th>%s</th><td>%s</td></tr>\n",
 <:
 for my $var (qw[ get post cookies header ]) {
        printf("<tr><th>%s{'%s'}</th><td>%s</td></tr>\n",
-               $var, $_, defined $$var{$_} ? $$var{$_} : "<i>no value</i>"
+               $var, $_, defined $$var{$_} ? EscapeHTML($$var{$_}) : "<i>no value</i>"
        ) for sort keys %$var;
 }
 :></table>