Index: modules/html/html.man
==================================================================
--- modules/html/html.man
+++ modules/html/html.man
@@ -1,7 +1,7 @@
[comment {-*- tcl -*- doctools manpage}]
-[vset HTML_VERSION 1.4.3]
+[vset HTML_VERSION 1.4.4]
[manpage_begin html n [vset HTML_VERSION]]
[see_also htmlparse]
[see_also ncgi]
[keywords checkbox]
[keywords checkbutton]
Index: modules/html/html.tcl
==================================================================
--- modules/html/html.tcl
+++ modules/html/html.tcl
@@ -13,11 +13,11 @@
#
# Originally by Brent Welch, with help from Dan Kuchler and Melissa Chawla
package require Tcl 8.2
package require ncgi
-package provide html 1.4.3
+package provide html 1.4.4
namespace eval ::html {
# State about the current page
@@ -910,11 +910,11 @@
#
# Results:
# The html fragment
proc ::html::textarea {name {param {}} {current {}}} {
- ::set value [ncgi::value $name $current]
+ ::set value [quoteFormValue [ncgi::value $name $current]]
return "<[string trimright \
"textarea name=\"$name\"\
[tagParam textarea $param]"]>$value\n"
}
Index: modules/html/html.test
==================================================================
--- modules/html/html.test
+++ modules/html/html.test
@@ -451,10 +451,22 @@
ncgi::reset info=[ncgi::encode "The textarea value."]
ncgi::parse
html::textarea info
} {
}
+
+test html-23.3 {html::textarea, dangerous input} {
+ html::init {
+ textarea.cols 50
+ textarea.rows 8
+ }
+ ncgi::reset info=[ncgi::encode ""]
+ ncgi::parse
+ html::textarea info
+} {
+}
+
test html-24.1 {html::submit} {
catch {html::submit}
} {1}
Index: modules/html/pkgIndex.tcl
==================================================================
--- modules/html/pkgIndex.tcl
+++ modules/html/pkgIndex.tcl
@@ -1,2 +1,2 @@
if {![package vsatisfies [package provide Tcl] 8.2]} {return}
-package ifneeded html 1.4.3 [list source [file join $dir html.tcl]]
+package ifneeded html 1.4.4 [list source [file join $dir html.tcl]]