From f3a382154b9a9ae1618579c72bafa774915cc483 Mon Sep 17 00:00:00 2001
From: David Anderson <davea@ssl.berkeley.edu>
Date: Thu, 7 Oct 2010 17:11:15 +0000
Subject: [PATCH] - web: fix XSS vulnerability

svn path=/trunk/boinc/; revision=22470
---
 checkin_notes   | 6 ++++++
 html/inc/pm.inc | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/checkin_notes b/checkin_notes
index 0fe6d317f2..21008435be 100644
--- a/checkin_notes
+++ b/checkin_notes
@@ -7163,3 +7163,9 @@ David  7 Oct 2010
     client/
         log_flags.cpp,h
         cs_scheduler.cpp
+
+David  7 Oct 2010
+    - web: fix XSS vulnerability
+
+    html/inc/
+        pm.inc
diff --git a/html/inc/pm.inc b/html/inc/pm.inc
index 2f4ee5fb1a..39dcf4ce4b 100644
--- a/html/inc/pm.inc
+++ b/html/inc/pm.inc
@@ -66,7 +66,7 @@ function pm_form($error = null) {
             $writeto = $userid." (".$user->name.")";
         }
     } else {
-        $writeto = post_str("to", true);
+        $writeto = sanitize_tags(post_str("to", true));
         $subject = post_str("subject", true);
         $content = post_str("content", true);
     }