From ea1ca0be0c6e9f7924508a6260fa43dfb57d8427 Mon Sep 17 00:00:00 2001
From: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Date: Wed, 20 Mar 2013 23:41:43 +0100
Subject: [PATCH] escape version string to prevent XSS for sure

* HTML escape the remotely retrieved version string printed to the HTML in order
  to prevent and attacks (if this would have been possible at all in 12
  characters).

The version string read from the davical.org webserver might be changed by an
attacker in order to perform XSS.
Even though this is highly unlikley (there are only 12 characters used) it's
better to HTML escape any such string that is printed to HTML.

This was originally reported at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703290
---
 ChangeLog        | 3 +++
 debian/changelog | 2 +-
 htdocs/setup.php | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ed20829b..9488f8d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@
 	* Changed the end-of-line encodings of all non-Windows-related and 
 	  non-autogenerated text files to use UNIX LF (lots of them had mixed
 	  LF/CRLF).
+	* HTML escape the remotely retrieved version string printed to the HTML
+	  in order to prevent and attacks (if this would have been possible at
+	  all in 12 characters).
 
 2013-03-06  Andrew McMillan  <andrew@morphoss.com>
 	* Fix capitalisation of 'plpgsql' & 'sql' for Postgres 9.2. (debbug #702403)
diff --git a/debian/changelog b/debian/changelog
index 39b9e344..a417d403 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,6 @@
 davical (1.1.2-1) unstable; urgency=low
 
-  * New upstream release (closes:#702403)
+  * New upstream release (closes:#702403, #703290)
 
  -- Andrew McMillan <awm@debian.org>  Wed, 01 May 2013 10:05:33 +1200
 
diff --git a/htdocs/setup.php b/htdocs/setup.php
index 54345f39..ac43670c 100644
--- a/htdocs/setup.php
+++ b/htdocs/setup.php
@@ -252,7 +252,7 @@ function check_davical_version() {
   $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
   $version_file = @fopen($url, 'r');
   if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
-  $current_version = trim(fread( $version_file,12));
+  $current_version = htmlentities( trim(fread( $version_file,12)) );
   fclose($version_file);
   $result = new CheckResult($c->version_string == $current_version);
   if ( ! $result->getOK() ) {