otp.git - Mirror of Erlang/OTP repository.

Age	Commit message (Collapse)	Author
2011-11-09	More merge cleanup.	Micael Karlberg

2011-11-09	Initial merge from r13 topic branch. With minimal cleanup.	Micael Karlberg
	Merge branch 'bmk/inets/httpd/xss_when_erl_encoded/r13/OTP-9655' into bmk/inets/httpd/xss_when_erl_encoded/r14/OTP-9655 Conflicts: lib/inets/doc/src/notes.xml lib/inets/src/http_lib/http_uri.erl lib/inets/src/http_lib/http_util.erl lib/inets/src/http_server/httpd_file.erl lib/inets/src/http_server/httpd_request.erl lib/inets/src/http_server/httpd_request_handler.erl lib/inets/src/http_server/httpd_util.erl lib/inets/src/inets_app/inets.appup.src lib/inets/test/httpc_SUITE.erl lib/inets/test/httpd_SUITE.erl lib/inets/test/httpd_basic_SUITE.erl lib/inets/test/httpd_test_lib.erl lib/inets/vsn.mk
2011-10-25	The XSS prevention methods used was confused if the	Micael Karlberg
	URL was encoded (hex-encoded). OTP-9655
2011-09-15	Updated http-server to make sure URLs in error-messages	Micael Karlberg
	are URL-encoded. Added support in http-client to use URL-encoding. Also added the missing include directory for the inets application. OTP-8940 [httpd] Prevent XSS in error pages. Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. Michael Santos OTP-9124
2011-03-17	Merge branch 'dev' into bmk/inets/httpd/prevent_xss_in_error_pages/OTP-9124	Micael Karlberg

2011-03-11	Update copyright years	Björn-Egil Dahlberg

2011-03-11	[httpd] Prevent XSS in error pages.	Micael Karlberg
	Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters.
2011-02-22	inets: prevent XSS in error pages	Michael Santos
	Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. The reserved character set should be safe for displaying data within the body of HTML pages as outlined here: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Previously, weird URLs were URI encoded in the error page. This worked quite well but the URL would be displayed in the HTML in percent encoded format. There was also a check for URIs that were already escaped (by the browser) that would fail if the browser sent an URI containing a "%", e.g.: w3m "http://localhost:8080/<b>foo</b>?%" Also encode the HTTP method and version, since it's possible they may be manipulated: <b>FOO</b> /index.html HTTP/1.0 GET /index.html <b>foo</b>/1.0 Encode the static messages to prevent characters from being interpreted as HTML such as "heavy load (>~w processes)".
2011-02-17	Rename Suite Callback to Common Test Hook	Lukas Larsson

2011-02-17	Fix formatting for inets	Lukas Larsson

2011-02-17	Add ts_install_scb to suite/0	Lukas Larsson

2011-02-17	Update inets tests to conform with common_test standard	Lukas Larsson

2010-11-29	URL-encoding - add support in client and more usage in server. Also	Ingela Anderton Andin
	added missing include directory.
2010-01-13	OTP-8016, OTP-8056, OTP-8103, OTP-8106, OTP-8312, OTP-8315, OTP-8327, OTP-8349,	Micael Karlberg
	OTP-8351, OTP-8359 & OTP-8371.