[hunchentoot-devel] Trivial patch for potential XSS bugs
J.P. Larocque
jpl at thoughtcrime.us
Thu Mar 25 02:37:51 UTC 2010
Hi,
There are a few places where Hunchentoot generates HTML which directly
include some strings, but the strings are plain-text and not HTML. In
some cases you can see that the string can never coincidentally
contain HTML or user-supplied input, so that's fine--I haven't touched
these. In other cases, the string is determined from user input (at
the HTTP level), so there's a danger of XSS attacks at these points.
The chance of a successful attack which exploits these flaws is
probably low. In any case, I think Hunchentoot should always
correctly encode these user-supplied strings as HTML, since the
strings are treated as plain-text and are not already formatted as
HTML.
A patch is attached. The changes are minimal and should speak for
themselves.
Thanks,
--
J.P. Larocque <jpl at thoughtcrime.us>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hunchentoot-1.1.0-xss_fixes.diff
Type: text/x-diff
Size: 2347 bytes
Desc: not available
URL: <https://mailman.common-lisp.net/pipermail/tbnl-devel/attachments/20100324/d3297564/attachment.diff>
More information about the Tbnl-devel
mailing list