From 4827d5db5fb2ca10772f70fbb6ad7f7f99285d96 Mon Sep 17 00:00:00 2001 From: Michael Santos Date: Mon, 21 Feb 2011 13:53:56 -0500 Subject: inets: prevent XSS in error pages Prevent user controlled input from being interpreted as HTML in error pages by encoding the reserved HTML characters. The reserved character set should be safe for displaying data within the body of HTML pages as outlined here: http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Previously, weird URLs were URI encoded in the error page. This worked quite well but the URL would be displayed in the HTML in percent encoded format. There was also a check for URIs that were already escaped (by the browser) that would fail if the browser sent an URI containing a "%", e.g.: w3m "http://localhost:8080/foo?%" Also encode the HTTP method and version, since it's possible they may be manipulated: FOO /index.html HTTP/1.0 GET /index.html foo/1.0 Encode the static messages to prevent characters from being interpreted as HTML such as "heavy load (>~w processes)". --- lib/inets/src/http_lib/http_util.erl | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'lib/inets/src/http_lib') diff --git a/lib/inets/src/http_lib/http_util.erl b/lib/inets/src/http_lib/http_util.erl index 4f1147176c..5e6b69ac5e 100644 --- a/lib/inets/src/http_lib/http_util.erl +++ b/lib/inets/src/http_lib/http_util.erl @@ -25,7 +25,8 @@ hexlist_to_integer/1, integer_to_hexlist/1, convert_month/1, is_hostname/1, - timestamp/0, timeout/2 + timestamp/0, timeout/2, + html_encode/1 ]). @@ -187,6 +188,13 @@ timeout(Timeout, Started) -> end. +html_encode(Chars) -> + Reserved = sets:from_list([$&, $<, $>, $\", $', $/]), + lists:append(lists:map(fun(Char) -> + char_to_html_entity(Char, Reserved) + end, Chars)). + + %%%======================================================================== %%% Internal functions %%%======================================================================== @@ -235,3 +243,11 @@ convert_to_ascii([Num | Reversed], Number) convert_to_ascii([Num | Reversed], Number) when (Num > 9) andalso (Num < 16) -> convert_to_ascii(Reversed, [Num + 55 | Number]). + +char_to_html_entity(Char, Reserved) -> + case sets:is_element(Char, Reserved) of + true -> + "&#" ++ integer_to_list(Char) ++ ";"; + false -> + [Char] + end. -- cgit v1.2.3