diff options
| author | Michael Santos <[email protected]> | 2011-02-21 13:53:56 -0500 |
|---|---|---|
| committer | Niclas Axelsson <[email protected]> | 2011-02-22 15:35:05 +0100 |
| commit | 4827d5db5fb2ca10772f70fbb6ad7f7f99285d96 (patch) | |
| tree | b681371a39d8cb62eefaea436f28f5f51e5868e3 /lib/inets/test/httpd_basic_SUITE.erl | |
| parent | b0d6abb72cf32df548703b284b737a4a7c0a9d8a (diff) | |
| download | otp-4827d5db5fb2ca10772f70fbb6ad7f7f99285d96.tar.gz otp-4827d5db5fb2ca10772f70fbb6ad7f7f99285d96.tar.bz2 otp-4827d5db5fb2ca10772f70fbb6ad7f7f99285d96.zip | |
inets: prevent XSS in error pages
Prevent user controlled input from being interpreted as HTML in error
pages by encoding the reserved HTML characters. The reserved character
set should be safe for displaying data within the body of HTML pages
as outlined here:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Previously, weird URLs were URI encoded in the error page. This worked
quite well but the URL would be displayed in the HTML in percent encoded
format. There was also a check for URIs that were already escaped (by
the browser) that would fail if the browser sent an URI containing a
"%", e.g.:
w3m "http://localhost:8080/<b>foo</b>?%"
Also encode the HTTP method and version, since it's possible they may be
manipulated:
<b>FOO</b> /index.html HTTP/1.0
GET /index.html <b>foo</b>/1.0
Encode the static messages to prevent characters from being interpreted
as HTML such as "heavy load (>~w processes)".
Diffstat (limited to 'lib/inets/test/httpd_basic_SUITE.erl')
| -rw-r--r-- | lib/inets/test/httpd_basic_SUITE.erl | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/lib/inets/test/httpd_basic_SUITE.erl b/lib/inets/test/httpd_basic_SUITE.erl index dcea200a1a..1cb07c2f5b 100644 --- a/lib/inets/test/httpd_basic_SUITE.erl +++ b/lib/inets/test/httpd_basic_SUITE.erl @@ -151,12 +151,13 @@ escaped_url_in_error_body(Config) when is_list(Config) -> URL = ?URL_START ++ integer_to_list(Port) ++ Path, EscapedPath = http_uri:encode(Path), {ok, {404, Body}} = httpc:request(get, {URL, []}, - [{url_encode, true}], - [{version, "HTTP/1.0"}, {full_result, false}]), + [{url_encode, true}, {version, "HTTP/1.0"}], + [{full_result, false}]), EscapedPath = find_URL_path(string:tokens(Body, " ")), - {ok, {404, Body1}} = httpc:request(get, {URL, []}, [], - [{version, "HTTP/1.0"}, {full_result, false}]), - EscapedPath = find_URL_path(string:tokens(Body1, " ")), + {ok, {404, Body1}} = httpc:request(get, {URL, []}, + [{version, "HTTP/1.0"}], [{full_result, false}]), + HTMLEncodedPath = http_util:html_encode(Path), + HTMLEncodedPath = find_URL_path(string:tokens(Body1, " ")), inets:stop(httpd, Pid). find_URL_path([]) -> |