| Subject: | [Patch] CGI.pm popup_menu if optgroup, $selected is not properly escaped. |
# perl -MCGI -e 'print
CGI::popup_menu(-values=>[CGI::optgroup(-name=>"A",-values=>["a","b+"])],-default=>"b\\+")';
^ selects b+
# mp perl -MCGI -e 'print
CGI::popup_menu(-values=>[CGI::optgroup(-name=>"A",-values=>["a","b+"])],-default=>"b+")';
^ selects nothing (or b if b exists)
... but why is the \\+ needed
--- old/CGI.pm 2009-09-10 17:11:18.000000000 -0400
+++ new/CGI.pm 2009-09-10 17:11:29.000000000 -0400
@@ -2572,7 +2572,7 @@
for my $v (split(/\n/)) {
my $selectit = $XHTML ? 'selected="selected"' : 'selected';
for my $selected (keys %selected) {
- $v =~ s/(value="$selected")/$selectit $1/;
+ $v =~ s/(value="\Q$selected\E")/$selectit $1/;
}
$result .= "$v\n";
}