$NetBSD: patch-ax,v 1.3 2020/09/07 10:34:52 mef Exp $

set &html_escape for the safety


--- htaccess-htpasswd/search.cgi.orig	2011-04-27 00:19:02.000000000 +0200
+++ htaccess-htpasswd/search.cgi	2011-06-15 23:23:42.000000000 +0200
@@ -19,7 +19,8 @@
 
 @dirs = &list_directories();
 %got = map { ( "$_->[0]/$config{'htaccess'}", 1 ) } @dirs;
-print "<b>",&text('search_doing', "<tt>$in{'search'}</tt>"),"</b><p>\n";
+print "<b>",&text('search_doing', "<tt>" . &html_escape($in{'search'}) .
+       "</tt>"), "</b><p>\n";
 
 # Use the find command
 &switch_user();
@@ -28,10 +29,12 @@
 while($f = <FIND>) {
 	chop($f);
 	if ($got{$f}) {
-		print &text('search_already', "<tt>$f</tt>"),"<br>\n";
+               print &text('search_already', "<tt>" . &html_escape($f) .
+                       "</tt>"),"<br>\n";
 		}
 	elsif (!open(TEST, $f)) {
-		print &text('search_open', "<tt>$f</tt>", $!),"<br>\n";
+               print &text('search_open', "<tt>" . &html_escape($f) . "</tt>",
+                       $!),"<br>\n";
 		}
 	else {
 		$conf = &foreign_call($apachemod, "get_htaccess_config", $f);
@@ -40,14 +43,16 @@
 		$require = &foreign_call($apachemod, "find_directive",
 					 "require", $conf, 1);
 		if ($currfile && $require) {
-			print &text('search_found', "<tt>$f</tt>",
-				    "<tt>$currfile</tt>"),"<br>\n";
+                       print &text('search_found', "<tt>" . &html_escape($f) .
+                               "</tt>", "<tt>" . &html_escape($currfile) .
+                               "</tt>"),"<br>\n";
 			local $d = $f;
 			$d =~ s/\/$config{'htaccess'}$//;
 			push(@dirs, [ $d, $currfile ]);
 			}
 		else {
-			print &text('search_noprot', "<tt>$f</tt>"),"<br>\n";
+                       print &text('search_noprot', "<tt>" .
+                               &html_escape($f) . "</tt>"),"<br>\n";
 			}
 		}
 	}
