From 13dfd638bf0644589845d056f2b1fe247a689567 Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Fri, 3 Oct 2025 22:39:08 +0000
Subject: [PATCH] ids.cgi: Fixes bug 13878

commit 61f447ff341d2f7720fb6c5b483cc9fb063e869c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Thu Sep 25 17:07:36 2025 +0200

    ids.cgi: Escape the remark before sending it back to the browser

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit f0015fefe6d2523c5bb9818fa6aeeb064f6e45db
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Thu Sep 25 13:12:38 2025 +0200

    ids.cgi: Fixes bug 13878

    Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 html/cgi-bin/ids.cgi | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 369bf0276..ac03b7b5e 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1404,7 +1404,10 @@ print <<END;
 					<td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
 
 					<td width='30%'>$Lang::tr{'remark'}: </td>
-					<td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
+                                        <td>
+                                                <input type='text' name=IGNORE_ENTRY_REMARK
+                                                        value='@{[ &Header::escape($entry_remark) ]}' size='24' />
+                                        </td>
 					<td align='center' width='20%'><input type='submit' name='WHITELIST' value='$buttontext' /></td>
 				</tr>
 				</form>