Updated http-server to make sure URLs in error-messages

are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.

OTP-8940

[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos

OTP-9124

1 files changed, 18 insertions, 2 deletions

diff --git a/lib/inets/src/http_lib/http_util.erl b/lib/inets/src/http_lib/http_util.erl
index 4f1147176c..be0602ff6e 100644
--- a/lib/inets/src/http_lib/http_util.erl
+++ b/lib/inets/src/http_lib/http_util.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2005-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2005-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -24,7 +24,8 @@
 	 convert_netscapecookie_date/1,
 	 hexlist_to_integer/1, integer_to_hexlist/1, 
 	 convert_month/1, 
-	 is_hostname/1,
+	 is_hostname/1, 
+	 html_encode/1, 
 	 timestamp/0, timeout/2
 	]).
 
@@ -185,7 +186,14 @@ timeout(Timeout, Started) ->
 	_ ->
 	    0
     end.
+
     
+html_encode(Chars) ->
+    Reserved = sets:from_list([$&, $<, $>, $\", $', $/]),
+    lists:append(lists:map(fun(Char) ->
+				   char_to_html_entity(Char, Reserved)
+			   end, Chars)).
+
 
 %%%========================================================================
 %%% Internal functions
@@ -235,3 +243,11 @@ convert_to_ascii([Num | Reversed], Number)
 convert_to_ascii([Num | Reversed], Number) 
   when (Num > 9) andalso (Num < 16) ->
     convert_to_ascii(Reversed, [Num + 55 | Number]).
+
+char_to_html_entity(Char, Reserved) ->
+    case sets:is_element(Char, Reserved) of
+        true ->
+            "&#" ++ integer_to_list(Char) ++ ";";
+        false ->
+            [Char]
+    end.