From: rekter0 <58881147+rekter0@users.noreply.github.com>
Date: Mon, 7 Nov 2022 15:12:03 +0100
Subject: fix cross site scripting
Origin: https://github.com/eldy/AWStats/commit/38682330e1ec3f3af95f9436640358b2d9e4a965
Bug: https://github.com/eldy/AWStats/pull/226
Bug-Debian: https://bugs.debian.org/1025410
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-46391

xss due to printing response from Net::XWhois without proper checks
---
 wwwroot/cgi-bin/plugins/hostinfo.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wwwroot/cgi-bin/plugins/hostinfo.pm b/wwwroot/cgi-bin/plugins/hostinfo.pm
index 95b2c20b7b91..1f0ac699459d 100644
--- a/wwwroot/cgi-bin/plugins/hostinfo.pm
+++ b/wwwroot/cgi-bin/plugins/hostinfo.pm
@@ -181,7 +181,7 @@ sub BuildFullHTMLOutput_hostinfo {
 
 	&tab_head("Full Whois Field",0,0,'whois');
 	if ($w && $w->response()) {
-		print "<tr><td class=\"aws\"><pre>".($w->response())."</pre></td></tr>\n";
+		print "<tr><td class=\"aws\"><pre>".CleanXSS($w->response())."</pre></td></tr>\n";
 	}
 	else {
 		print "<tr><td><br />The Whois command failed.<br />Did the server running AWStats is allowed to send WhoIs queries (If a firewall is running, port 43 should be opened from inside to outside) ?<br /><br /></td></tr>\n";
-- 
2.38.1