Updated http-server to make sure URLs in error-messages

are URL-encoded. Added support in http-client to use
URL-encoding. Also added the missing include directory
for the inets application.

OTP-8940

[httpd] Prevent XSS in error pages.
Prevent user controlled input from being interpreted
as HTML in error pages by encoding the reserved HTML
characters.
Michael Santos

OTP-9124

1 files changed, 4 insertions, 2 deletions

diff --git a/lib/inets/src/http_server/mod_dir.erl b/lib/inets/src/http_server/mod_dir.erl
index cdc7cc01e4..35e9de24e2 100644
--- a/lib/inets/src/http_server/mod_dir.erl
+++ b/lib/inets/src/http_server/mod_dir.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %% 
-%% Copyright Ericsson AB 1997-2009. All Rights Reserved.
+%% Copyright Ericsson AB 1997-2011. All Rights Reserved.
 %% 
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -18,9 +18,11 @@
 %%
 %%
 -module(mod_dir).
+
 -export([do/1]).
 
 -include("httpd.hrl").
+-include("httpd_internal.hrl").
 
 %% do
 
@@ -57,7 +59,7 @@ do_dir(Info) ->
     case file:read_file_info(DefaultPath) of
 	{ok,FileInfo} when FileInfo#file_info.type == directory ->
 	    DecodedRequestURI =
-		httpd_util:decode_hex(Info#mod.request_uri),
+		http_uri:decode(Info#mod.request_uri),
 	    ?DEBUG("do_dir -> ~n"
 		   "      Path:              ~p~n"
 		   "      DefaultPath:       ~p~n"