[hunchentoot-devel] Trivial patch for potential XSS bugs

Edi Weitz edi at agharta.de
Tue Mar 30 13:06:56 UTC 2010


Thanks, patch applied.

On Thu, Mar 25, 2010 at 3:37 AM, J.P. Larocque <jpl at thoughtcrime.us> wrote:
> Hi,
>
> There are a few places where Hunchentoot generates HTML which directly
> include some strings, but the strings are plain-text and not HTML.  In
> some cases you can see that the string can never coincidentally
> contain HTML or user-supplied input, so that's fine--I haven't touched
> these.  In other cases, the string is determined from user input (at
> the HTTP level), so there's a danger of XSS attacks at these points.
>
> The chance of a successful attack which exploits these flaws is
> probably low.  In any case, I think Hunchentoot should always
> correctly encode these user-supplied strings as HTML, since the
> strings are treated as plain-text and are not already formatted as
> HTML.
>
> A patch is attached.  The changes are minimal and should speak for
> themselves.
>
> Thanks,
>
> --
> J.P. Larocque <jpl at thoughtcrime.us>
>
> _______________________________________________
> tbnl-devel site list
> tbnl-devel at common-lisp.net
> http://common-lisp.net/mailman/listinfo/tbnl-devel
>




More information about the Tbnl-devel mailing list