From 2142edce39f905b7a6430b40f44597c569a5d88d Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Sun, 25 Sep 2022 00:46:20 -0700
Subject: [PATCH] Escape descriptions and group names

---
 servers/index.cgi | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/servers/index.cgi b/servers/index.cgi
index 895140b808..825a428951 100755
--- a/servers/index.cgi
+++ b/servers/index.cgi
@@ -55,7 +55,7 @@ if (@servers && $config{'display_mode'}) {
 		my $table = "<table cellpadding=0 cellspacing=0 width=100%><tr>\n";
 		if (!$access{'links'} || !$s->{'port'}) {
 			$table .= "<td>\n";
-			$table .= ($s->{'realhost'} || $s->{'host'});
+			$table .= &html_escape($s->{'realhost'} ||$s->{'host'});
 			$table .= ":$s->{'port'}" if ($s->{'port'});
 			$table .= "</td>\n";
 			}
@@ -68,8 +68,9 @@ if (@servers && $config{'display_mode'}) {
 				$link = &make_url($s);
 				}
 		    	$table .= "<td>\n";
-			$table .= &ui_link($link, ($s->{'realhost'} || $s->{'host'} ).
-					   ":".$s->{'port'}, undef, "target=_top");
+			$table .= &ui_link($link,
+				&html_escape($s->{'realhost'} || $s->{'host'} ).
+				":".$s->{'port'}, undef, "target=_top");
 			$table .= "</td>\n";
 			}
 		$table .= "<td align=right>";
@@ -83,8 +84,8 @@ if (@servers && $config{'display_mode'}) {
 			}
 		$table .= "</td></tr></table>\n";
 		push(@cols, $table);
-		push(@cols, $s->{'desc'});
-		push(@cols, $s->{'group'} || $text{'index_none'});
+		push(@cols, &html_escape($s->{'desc'}));
+		push(@cols, &html_escape($s->{'group'}) || $text{'index_none'});
 		my ($type) = grep { $_->[0] eq $s->{'type'} }
 				  &get_server_types();
 		push(@cols, $type->[1]);
@@ -195,6 +196,6 @@ elsif ($_[0]->{'realhost'}) {
 else {
 	$rv = "$_[0]->{'host'}:$_[0]->{'port'}";
 	}
-return $rv;
+return &html_escape($rv);
 }