Scanners at $dayjob (and reports on security@) frequently report that built-in error documents suffer from non-xss HTML injection from the request URL.
Here are a few options to silencing these scans/reports: [ ] remove the URL's [ ] truncate them [ ] put them in HTML comments [ ] use CSS to make some <spoiler>-like tag [ ] use CSS to make the URL non-selectable/copyable [ ] base64 encode the URL's and surround with some text that says its only useful for the webserver administrator. [ ] use r->the_request or r->unparsed_uri or re-encode the decoded URI so spaces can't be used. I was initially leaning towards the CSS options, but after tinkering with a spoiler tag you still have something tempting to copy/paste. Now I am thinking base64 + html comments is the best. This does make screenshots of error documents kind of useless, but we still have access logs. We could also make all of this configurable so whatever obfuscates the URL could provide different methods. Any other ideas / preferences? -- Eric Covener cove...@gmail.com
