Encode the if parameter before using it in html

1 files changed, 3 insertions, 3 deletions

diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc
index 310b0d3..c8962c8 100755
--- a/usr/local/www/guiconfig.inc
+++ b/usr/local/www/guiconfig.inc
@@ -311,8 +311,8 @@ function print_info_box_np($msg, $name="apply",$value="", $showapply=false) {
 	if(stristr($msg, gettext("apply")) != false || stristr($msg, gettext("save")) != false || stristr($msg, gettext("create")) != false || $showapply) {
 		$savebutton = "<td class='infoboxsave'>";
 		$savebutton .= "<input name=\"{$name}\" type=\"submit\" class=\"formbtn\" id=\"${name}\" value=\"{$value}\">";
-		if($_POST['if']) 
-			$savebutton .= "<input type='hidden' name='if' value='{$_POST['if']}'>";
+		if($_POST['if'])
+			$savebutton .= "<input type='hidden' name='if' value='" . htmlspecialchars($_POST['if']) . "'>";
 		$savebutton.="</td>";
 	}
 	$nifty_redbox = "#990000";
@@ -375,7 +375,7 @@ function print_info_box_np_undo($msg, $name="apply",$value="Apply changes", $und
 		$savebutton .= " <input name=\"{$name}\" type=\"submit\" class=\"formbtn\" id=\"${name}\" value=\"{$value}\">";
 		$savebutton.="</nobr></td>";
 		if($_POST['if']) 
-			$savebutton .= "<input type='hidden' name='if' value='{$_POST['if']}'>";
+			$savebutton .= "<input type='hidden' name='if' value='" . htmlspecialchars($_POST['if']) . "'>";
 	}
 	$nifty_redbox = "#990000";
 	$nifty_blackbox = "#000000";