From b002fbb96ee916f63984181a31d1942222a38161 Mon Sep 17 00:00:00 2001
From: Javier Bassi <profetasdelmetal@gmail.com>
Date: Tue, 18 Oct 2011 23:47:38 -0200
Subject: [PATCH] Escaping username and group names.

---
 useradmin/my_group_chooser.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/useradmin/my_group_chooser.cgi b/useradmin/my_group_chooser.cgi
index f1c8108d..509e2169 100755
--- a/useradmin/my_group_chooser.cgi
+++ b/useradmin/my_group_chooser.cgi
@@ -142,8 +142,8 @@ else {
 	foreach $u (&get_groups_list()) {
 		if ($in{'group'} eq $u->[0]) { print "<tr $cb>\n"; }
 		else { print "<tr>\n"; }
-		print "<td width=20%><a href=\"\" onClick='return select(\"$u->[0]\")'>$u->[0]</a></td>\n";
-		print "<td>$u->[3]</td> </tr>\n";
+		print "<td width=20%><a href=\"\" onClick='return select(\"$u->[0]\")'>".&html_escape($u->[0])."</a></td>\n";
+		print "<td>".&html_escape($u->[3])."</td> </tr>\n";
 		}
 	print "</table>\n";
 	&popup_footer();
-- 
2.17.1