Anyone here read vuln-dev?

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sun, 29 Oct 2000 11:10:53 +1100

There's a new issue with squid been reported on vuln-dev:

a url like
http://123.microsoft.com/<script>alert(this.document.cookie)</script>
does not have it's html entities quoted (ie & > &amp;) before display on an
errorpage. This allows cross site scripting attacks against all clients
behind squid proxies.

I suggest we add a html library file similar to the rfc1738 one to take a
string and return a "safe to show on a web page" by escaping all the known
entities.

Probably there is a "standard way of doing this" - perhaps the xml library
or some other library can just be linked in....

Rob
Received on Sat Oct 28 2000 - 18:05:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST