$NetBSD: patch-as,v 1.2 2020/09/07 10:34:52 mef Exp $

Fix various cross site scripting, arbitrary command execution and various
other vulnerabilities in webmin (CVE-2008-0720).

--- cluster-software/search.cgi.orig	2007-09-21 23:27:39.000000000 +0200
+++ cluster-software/search.cgi
@@ -29,7 +29,8 @@ if (@match == 1) {
 &ui_print_header(undef, $text{'search_title'}, "", "search");
 if (@match) {
 	@match = sort { lc($a->{'name'}) cmp lc($b->{'name'}) } @match;
-	print "<b>",&text('search_match', "<tt>$s</tt>"),"</b><br>\n";
+	print "<b>",&text('search_match', "<tt>" . &html_escape($s) . "</tt>"),
+		"</b><br>\n";
 
 	print &ui_form_start("delete_packs.cgi", "post");
 	print &ui_hidden("search", $in{'search'}),"\n";
@@ -43,8 +44,9 @@ if (@match) {
 				  $text{'search_desc'} ], 100, 0, \@tds);
 	foreach $i (@match) {
 		local @cols;
-		push(@cols, "<a href=\"edit_pack.cgi?search=$s&package=".
-		      &urlize($i->{'name'})."\">$i->{'name'}</a>");
+		push(@cols, "<a href=\"edit_pack.cgi?search=" .
+			&urlize($s) . "&package=". &urlize($i->{'name'}) .
+			"\">$i->{'name'}</a>");
 		$c = $i->{'class'};
 		push(@cols, $i->{'class'} || $text{'search_none'});
 		push(@cols, $i->{'desc'});
@@ -62,7 +64,8 @@ if (@match) {
 	print &ui_form_end();
 	}
 else {
-	print "<b>",&text('search_nomatch', "<tt>$s</tt>"),"</b>\n";
+	print "<b>",&text('search_nomatch', "<tt>" . &html_escape($s) .
+		"</tt>"),"</b>\n";
 	}
 
 &ui_print_footer("", $text{'index_return'});
