On Sun, Oct 29, 2000, Robert Collins wrote:
> There's a new issue with squid been reported on vuln-dev:
>
> a url like
> http://123.microsoft.com/<script>alert(this.document.cookie)</script>
> does not have it's html entities quoted (ie & > &) before display on an
> errorpage. This allows cross site scripting attacks against all clients
> behind squid proxies.
>
> I suggest we add a html library file similar to the rfc1738 one to take a
> string and return a "safe to show on a web page" by escaping all the known
> entities.
>
> Probably there is a "standard way of doing this" - perhaps the xml library
> or some other library can just be linked in....
Interesting. Ok, I'll commit what you've sent as a patch unless anyone
objects in the next couple days.
-- Adrian Chadd "God: Damn! I left pot everywhere! <adrian@creative.net.au> Now I'll have to create Republicans!" - Bill HicksReceived on Sun Oct 29 2000 - 07:34:01 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST