[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Fwd: CVE request: SKS non-persistent XSS
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Sks-devel] Fwd: CVE request: SKS non-persistent XSS |
Date: |
Fri, 02 May 2014 17:48:33 -0400 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0 |
On 05/02/2014 07:35 AM, Kristian Fiskerstrand wrote:
> A non-persistent client-side cross-site scripting attack was reported
> against SKS[0] resulting from improper input sanitation before writing
> to a client. The issue has been fixed in the development trunk[1] for
> inclusion in an upcoming 1.1.5 release.
Thanks for sorting this out, Kristian.
I'm looking at your patch
378:88d453cdc858, and i note that it wraps s in HtmlTemplates.html_quote
in wserver.ml in many places, mostly where ~body: is being set, but also
in some cases where s shows up as an argument to plerror (e.g. in
Bad_request).
However, there are other invocations of plerror in the same section
where s doesn't get html_quote'ed (e.g. in Page_not_found).
I don't see where plerror is defined, actually, other than the interface
declared in common.mli, so i'm not sure whether plerror needs escaping
or not.
But it seems like they should either all be escaped or none. Is there a
reason to do some and not others?
--dkg
signature.asc
Description: OpenPGP digital signature