From a26eb1e0747bd1a3fca04a7aea603232b9793375 Mon Sep 17 00:00:00 2001
From: Axel Beckert <xtaran@users.sourceforge.net>
Date: Thu, 2 Oct 2008 01:05:34 +0000
Subject: [PATCH] Minimal version of Kevin's patch against CVE-2008-2236 (no
 additional variable $esc_flavour since $flavour should never contain any HTML
 code and therefore the distinction between escaped and unescaped is not
 necessary and doesn't make it necessary to change any templates. (We only can
 change ours.)

---
 blosxom.cgi | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/blosxom.cgi b/blosxom.cgi
index eae39bf..44edf47 100755
--- a/blosxom.cgi
+++ b/blosxom.cgi
@@ -2,7 +2,7 @@
 
 # Blosxom
 # Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008)
-# Version: 2.1.1 ($Id: blosxom.cgi,v 1.83 2008/07/30 22:27:02 xtaran Exp $)
+# Version: 2.1.1 ($Id: blosxom.cgi,v 1.84 2008/10/02 01:05:34 xtaran Exp $)
 # Home/Docs/Licensing: http://blosxom.sourceforge.net/
 # Development/Downloads: http://sourceforge.net/projects/blosxom
 
@@ -214,6 +214,23 @@ if (! ($flavour = param('flav'))) {
 }
 $flavour ||= $default_flavour;
 
+# Fix XSS in flavour name (CVE-2008-2236)
+$flavour = blosxom_html_escape($flavour);
+
+sub blosxom_html_escape {
+  my $string = shift;
+  my %escape = (
+                '<' => '&lt;',
+                '>' => '&gt;',
+                '&' => '&amp;',
+                '"' => '&quot;',
+                "'" => '&apos;'
+                );
+  my $escape_re = join '|' => keys %escape;
+  $string =~ s/($escape_re)/$escape{$1}/g;
+  $string;
+}
+
 # Global variable to be used in head/foot.{flavour} templates
 $path_info = '';
 # Add all @path_info elements to $path_info till we come to one that could be a year
-- 
2.30.2