Bug 236650: html_quote and validate email addresses in editueser.cgi

patch by vlad
r=joel,justdave
a=justdave

1 files changed, 11 insertions, 3 deletions

diff --git a/editusers.cgi b/editusers.cgi
index f9800c704..a6c358d55 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -346,7 +346,7 @@ if ($action eq 'list') {
         }
         $realname = ($realname ? html_quote($realname) : "<FONT COLOR=\"red\">missing</FONT>");
         print "<TR>\n";
-        print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=edit&user=", url_quote($user), "\"><B>$s$user$e</B></A></TD>\n";
+        print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=edit&user=", url_quote($user), "\"><B>$s", html_quote($user), "$e</B></A></TD>\n";
         print "  <TD VALIGN=\"top\">$s$realname$e</TD>\n";
         if ($candelete) {
             print "  <TD VALIGN=\"top\"><A HREF=\"editusers.cgi?action=del&user=", url_quote($user), "\">Delete</A></TD>\n";
@@ -448,8 +448,8 @@ if ($action eq 'new') {
         exit;
     }
     unless ($user =~ m/$emailregexp/) {
-        print "The user name entered must be a valid e-mail address. Please press\n";
-        print "<b>Back</b> and try again.\n";
+        print "The user name entered must be a valid e-mail address.\n";
+        print "Please press <b>Back</b> and try again.\n";
         PutTrailer($localtrailer);
         exit;
     }
@@ -759,6 +759,14 @@ if ($action eq 'update') {
 
     CheckUser($userold);
 
+    my $emailregexp = Param("emailregexp");
+    unless ($user =~ m/$emailregexp/) {
+        print "The user name entered must be a valid e-mail address.\n";
+        print "Please press <b>Back</b> and try again.\n";
+        PutTrailer($localtrailer);
+        exit;
+    }
+
     # Note that the order of this tests is important. If you change
     # them, be sure to test for WHERE='$product' or WHERE='$productold'