Re: Anyone here read vuln-dev?

From: Adrian Chadd <adrian@dont-contact.us>
Date: Sun, 29 Oct 2000 22:33:51 +0800

On Sun, Oct 29, 2000, Robert Collins wrote:
> There's a new issue with squid been reported on vuln-dev:
>
> a url like
> http://123.microsoft.com/<script>alert(this.document.cookie)</script>
> does not have it's html entities quoted (ie & > &amp;) before display on an
> errorpage. This allows cross site scripting attacks against all clients
> behind squid proxies.
>
> I suggest we add a html library file similar to the rfc1738 one to take a
> string and return a "safe to show on a web page" by escaping all the known
> entities.
>
> Probably there is a "standard way of doing this" - perhaps the xml library
> or some other library can just be linked in....

Interesting. Ok, I'll commit what you've sent as a patch unless anyone
objects in the next couple days.

-- 
Adrian Chadd			"God: Damn! I left pot everywhere!
<adrian@creative.net.au>	  Now I'll have to create Republicans!"
				    - Bill Hicks
Received on Sun Oct 29 2000 - 07:34:01 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST