Prompted by a recent message about SERVER_NAME, I took a look at some of
the default error page SSIs.  And they have '#echo encoding="none"
var="..."' sprinkled in all sorts of places.

Please, do NOT do this.  The ONLY place to use encoding=none is
where you know the variable is being set by something that has
already properly encoded or filtered any user supplied input, _AND_
we explicitly want any HTML in the variable to be rendered as HTML.
It would probably be wise to try to have a list somewhere in the
docs of the select subset of server set variables that fall into
this category.

Things like:

./docs/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var:    die <!--#echo encoding="
none" var="REDIRECT_REQUEST_METHOD"-->-Methode


are just security holes waiting to happen, and things like:

./docs/error/include/bottom.html:  <small><!--#echo encoding="none" var="DATE_LO
CAL" --></small>

while not exploitable, are just nonsensical since if there are any
characters that need to be encoded in there, then not doing so will
just result in bogus data going to the browser.

The default of using entity encoding is fine in the vast majority of
cases, and only has to be overridden if we need URL encoding or if we hit
a special case like ERROR_NOTES where we don't want to do any encoding.

Reply via email to