--- viewcvs.py.orig	Sat Oct 25 07:09:07 2003
+++ viewcvs.py	Sat Oct 25 07:23:19 2003
@@ -173,8 +173,14 @@
 
     # parse the query params into a dictionary (and use defaults)
     query_dict = default_settings.copy()
+
+    # RE that ViewCVS doesn't use in any URL, but a CSS attack might 
+    re_url_validate = re.compile('\'|"|<|>') 
     for name, values in cgi.parse().items():
-      query_dict[name] = values[0]
+      # do not accept values that contain non-ViewCVS characters 
+      # except for search 
+      if not re.search(re_url_validate, values[0]) or name == 'search': 
+        query_dict[name] = values[0]
 
     # set up query strings, prefixed by question marks and ampersands
     query = sticky_query(query_dict)
@@ -478,7 +484,7 @@
 def markup_stream_enscript(lang, fp):
   sys.stdout.flush()
   enscript = popen.pipe_cmds([(os.path.normpath(os.path.join(cfg.options.enscript_path,'enscript')),
-                               '--color', '-W', 'html', '-E' + lang, '-o',
+                               '--color', '--language=html', '-E' + lang, '-o',
                                '-', '-'),
                               ('sed', '-n', '/^<PRE>$/,/<\\/PRE>$/p')])
 
@@ -494,7 +500,7 @@
   except IOError, v:
     print "<h3>Failure during use of an external program:</h3>"
     print "<pre>"
-    print os.path.normpath(os.path.join(cfg.options.enscript_path,'enscript')) + " --color -W html -E"+lang+" -o - -"
+    print os.path.normpath(os.path.join(cfg.options.enscript_path,'enscript')) + " --color --language=html -E"+lang+" -o - -"
     print "</pre>"
     raise