diff options
| author | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
|---|---|---|
| committer | Micael Karlberg <[email protected]> | 2011-09-15 09:43:48 +0200 |
| commit | 98fd9df4c4a04554fd2f707ca9ea2d674fad984d (patch) | |
| tree | 8861e1e85f352d828cf31f0690feaae63c0088bd /lib/inets/src/http_server/httpd_request.erl | |
| parent | 50261525973798faf7f62ea02356447b16e5fc56 (diff) | |
| download | otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.gz otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.tar.bz2 otp-98fd9df4c4a04554fd2f707ca9ea2d674fad984d.zip | |
Updated http-server to make sure URLs in error-messages
are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.
OTP-8940
[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos
OTP-9124
Diffstat (limited to 'lib/inets/src/http_server/httpd_request.erl')
| -rw-r--r-- | lib/inets/src/http_server/httpd_request.erl | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/inets/src/http_server/httpd_request.erl b/lib/inets/src/http_server/httpd_request.erl index 8eee08e766..75f03c4fc2 100644 --- a/lib/inets/src/http_server/httpd_request.erl +++ b/lib/inets/src/http_server/httpd_request.erl @@ -1,7 +1,7 @@ %% %% %CopyrightBegin% %% -%% Copyright Ericsson AB 2005-2010. All Rights Reserved. +%% Copyright Ericsson AB 2005-2011. All Rights Reserved. %% %% The contents of this file are subject to the Erlang Public License, %% Version 1.1, (the "License"); you may not use this file except in @@ -256,9 +256,9 @@ validate_uri(RequestURI) -> UriNoQueryNoHex = case string:str(RequestURI, "?") of 0 -> - (catch httpd_util:decode_hex(RequestURI)); + (catch http_uri:decode(RequestURI)); Ndx -> - (catch httpd_util:decode_hex(string:left(RequestURI, Ndx))) + (catch http_uri:decode(string:left(RequestURI, Ndx))) end, case UriNoQueryNoHex of {'EXIT',_Reason} -> |