From 3e7aaee902c91581484b023a2bc5629945fe4c71 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 26 Oct 2021 10:13:41 +0200
Subject: [PATCH] auth tester, fix missing escape in diag_authentication.php

---
 src/www/diag_authentication.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/www/diag_authentication.php b/src/www/diag_authentication.php
index 549248d5e..ed37b63cb 100644
--- a/src/www/diag_authentication.php
+++ b/src/www/diag_authentication.php
@@ -68,8 +68,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 if (is_array($attr_value)) {
                     $attr_value = implode(",", $attr_value);
                 }
-                $attr_value = str_replace("\n", "<br/>", $attr_value);
-                $savemsg .= "{$attr_name} => {$attr_value}<br/>";
+                $attr_value = str_replace("\n", "<br/>", htmlspecialchars($attr_value));
+                $savemsg .= htmlspecialchars($attr_name) . " => {$attr_value}<br/>";
             }
         } else {
             $input_errors[] = gettext("Authentication failed.");