From 980577e1f053fce81c1e5b03274378894149f181 Mon Sep 17 00:00:00 2001
From: Thomas Jarosch <thomas.jarosch@intra2net.com>
Date: Thu, 15 Jul 2010 11:43:07 +0200
Subject: [PATCH] Also filter single quotes and / in html_entities() to prevent XSS attack in normal text

---
 src/stringfunc.cpp |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/stringfunc.cpp b/src/stringfunc.cpp
index 1fe636a..16cd6bd 100644
--- a/src/stringfunc.cpp
+++ b/src/stringfunc.cpp
@@ -781,9 +781,11 @@ string html_entities(std::string str)
 {
    // Normal chars
    replace_all (str, "&", "&amp;");
-   replace_all (str, "\"", "&quot;");
    replace_all (str, "<", "&lt;");
    replace_all (str, ">", "&gt;");
+   replace_all (str, "\"", "&quot;");
+   replace_all (str, "'", "&#x27;");
+   replace_all (str, "/", "&#x2F;");
 
    // Umlauts
    replace_all (str, "\xC3\xA4", "&auml;");
-- 
1.7.1