From 1a959e2681777bc28d9e8f19bb4195067dc55f4e Mon Sep 17 00:00:00 2001
From: Roy Johnson <roy.l.johnson@gmail.com>
Date: Mon, 9 Jan 2006 20:15:28 +0000
Subject: [PATCH] Merging bugfix into HEAD

---
 docs/changelog/6.x.x.txt             |  5 +++++
 lib/WebGUI/Asset/Wobject/DataForm.pm | 12 ++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt
index 109bd1894..a381b90ac 100644
--- a/docs/changelog/6.x.x.txt
+++ b/docs/changelog/6.x.x.txt
@@ -4,6 +4,11 @@
 
 
 6.8.4
+=======
+ - fix [ 1395371 ] XSS Vulnerability in DataForm Entries
+ - When working with a redirect in admin mode, you're now presented with a
+   decision page regarding the redirect to help make working with redirects a
+   little easier.
  - fix [ 1379384 ] image uploads to non-public pages (Len Kranendonk /
    ilance.nl)
  - fix [ 1379915 ] Survey can only be completed once per user
diff --git a/lib/WebGUI/Asset/Wobject/DataForm.pm b/lib/WebGUI/Asset/Wobject/DataForm.pm
index 55a09985b..08927c710 100644
--- a/lib/WebGUI/Asset/Wobject/DataForm.pm
+++ b/lib/WebGUI/Asset/Wobject/DataForm.pm
@@ -16,6 +16,7 @@ use Tie::IxHash;
 use WebGUI::DateTime;
 use WebGUI::Form;
 use WebGUI::FormProcessor;
+use WebGUI::HTML;
 use WebGUI::HTMLForm;
 use WebGUI::HTTP;
 use WebGUI::Icon;
@@ -574,6 +575,16 @@ sub purge {
     	$self->SUPER::purge();
 }
 
+#-------------------------------------------------------------------
+sub sanitizeUserInput {
+	my $self = shift;
+	my $content = shift;
+	my $contentType = shift || "text";
+	my $msg = WebGUI::HTML::format($content, $contentType);
+	
+	return $msg;
+}
+
 #-------------------------------------------------------------------
 sub sendEmail {
 	my $self = shift;
@@ -1047,6 +1058,7 @@ sub www_process {
 		if ($row{status} eq "required" || $row{status} eq "editable") {
 			$value = $self->session->form->process($row{name},$row{type},$row{defaultValue});
 			WebGUI::Macro::filter(\$value);
+			$value = $self->sanitizeUserInput($value) unless ($row{type} eq "HTMLArea");
 		}
 		if ($row{status} eq "required" && ($value =~ /^\s$/ || $value eq "" || not defined $value)) {
 			push (@errors,{