Plerror is local logging and not passed to a web client On May 2, 2014 11:48 PM, "Daniel Kahn Gillmor" <d...@fifthhorseman.net> wrote:
> On 05/02/2014 07:35 AM, Kristian Fiskerstrand wrote: > > > A non-persistent client-side cross-site scripting attack was reported > > against SKS[0] resulting from improper input sanitation before writing > > to a client. The issue has been fixed in the development trunk[1] for > > inclusion in an upcoming 1.1.5 release. > > Thanks for sorting this out, Kristian. > > I'm looking at your patch > 378:88d453cdc858, and i note that it wraps s in HtmlTemplates.html_quote > in wserver.ml in many places, mostly where ~body: is being set, but also > in some cases where s shows up as an argument to plerror (e.g. in > Bad_request). > > However, there are other invocations of plerror in the same section > where s doesn't get html_quote'ed (e.g. in Page_not_found). > > I don't see where plerror is defined, actually, other than the interface > declared in common.mli, so i'm not sure whether plerror needs escaping > or not. > > But it seems like they should either all be escaped or none. Is there a > reason to do some and not others? > > --dkg > >
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
