[bknr-cvs] edi changed trunk/thirdparty/hunchentoot/

BKNR Commits bknr at bknr.net
Tue Mar 30 13:22:17 UTC 2010 

Revision: 4522
Author: edi
URL: http://bknr.net/trac/changeset/4522

Safeguard measures against XSS attacks (J.P. Larocque)

U   trunk/thirdparty/hunchentoot/CHANGELOG
U   trunk/thirdparty/hunchentoot/headers.lisp
U   trunk/thirdparty/hunchentoot/util.lisp

Modified: trunk/thirdparty/hunchentoot/CHANGELOG
===================================================================
--- trunk/thirdparty/hunchentoot/CHANGELOG	2010-03-23 12:57:15 UTC (rev 4521)
+++ trunk/thirdparty/hunchentoot/CHANGELOG	2010-03-30 13:22:17 UTC (rev 4522)
@@ -1,3 +1,4 @@
+Safeguard measures against XSS attacks (J.P. Larocque)
 Prevent potential leak when closing stream (Matt Lamari, Martin Simmons)
 Change some occurrences of HANDLER-CASE* to HANDLER-CASE (Hans Hübner, Allan Dee)
 

Modified: trunk/thirdparty/hunchentoot/headers.lisp
===================================================================
--- trunk/thirdparty/hunchentoot/headers.lisp	2010-03-23 12:57:15 UTC (rev 4521)
+++ trunk/thirdparty/hunchentoot/headers.lisp	2010-03-30 13:22:17 UTC (rev 4522)
@@ -157,15 +157,15 @@
                           ((#.+http-internal-server-error+) content)
                           ((#.+http-moved-temporarily+ #.+http-moved-permanently+)
                            (format nil "The document has moved <a href='~A'>here</a>"
-                                   (header-out :location)))
+                                   (escape-for-html (header-out :location))))
                           ((#.+http-authorization-required+)
                            "The server could not verify that you are authorized to access the document requested.  Either you supplied the wrong credentials \(e.g., bad password), or your browser doesn't understand how to supply the credentials required.")
                           ((#.+http-forbidden+)
                            (format nil "You don't have permission to access ~A on this server."
-                                   (script-name request)))
+                                   (escape-for-html (script-name request))))
                           ((#.+http-not-found+)
                            (format nil "The requested URL ~A was not found on this server."
-                                   (script-name request)))
+                                   (escape-for-html (script-name request))))
                           ((#.+http-bad-request+)
                            "Your browser sent a request that this server could not understand.")
                           (otherwise ""))

Modified: trunk/thirdparty/hunchentoot/util.lisp
===================================================================
--- trunk/thirdparty/hunchentoot/util.lisp	2010-03-23 12:57:15 UTC (rev 4521)
+++ trunk/thirdparty/hunchentoot/util.lisp	2010-03-30 13:22:17 UTC (rev 4522)
@@ -302,7 +302,7 @@
           +implementation-link+
           (escape-for-html (lisp-implementation-type))
           (escape-for-html (lisp-implementation-version))
-          (or (host *request*) (acceptor-address *acceptor*))
+          (escape-for-html (or (host *request*) (acceptor-address *acceptor*)))
           (scan ":\\d+$" (or (host *request*) ""))
           (acceptor-port *acceptor*)))

More information about the Bknr-cvs mailing list