There's a new issue with squid been reported on vuln-dev:
a url like
http://123.microsoft.com/<script>alert(this.document.cookie)</script>
does not have it's html entities quoted (ie & > &) before display on an
errorpage. This allows cross site scripting attacks against all clients
behind squid proxies.
I suggest we add a html library file similar to the rfc1738 one to take a
string and return a "safe to show on a web page" by escaping all the known
entities.
Probably there is a "standard way of doing this" - perhaps the xml library
or some other library can just be linked in....
Rob
Received on Sat Oct 28 2000 - 18:05:57 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST