Bug #598
500 error should be protected against xss attacks
Description
Currently the 500 error handler displays all scope vars as a list, if these scope vars contain html, this html is presented unescaped to the browser, providing an xss exploit opertunity.
This should all be fixed.
Associated revisions
Revision 179:99a0f6bf230c
(diff)
Updated http500 template to use proper template conditional statements, and wrap all error outputs with html-escaping. This resolves #598.
History
#1 Updated by Elmer de Looff about 12 years ago
- Status changed from New to Resolved
- Assignee changed from Elmer de Looff to Jan Klopper
- % Done changed from 0 to 70
This has been fixed. All variables will be properly html-escaped before ouput. When templates are captured in local variables, this will cause their literal html source to be printed for the human eye. Double escaping might happen but then the displayed source will show the single-escaped source as desired.
Also fixed bugs with conditional statements in the http500 template, which were illegal in the current fixed version.
#2 Updated by Elmer de Looff about 12 years ago
Applied in changeset commit:65f6e2c86f08.
#3 Updated by Elmer de Looff about 12 years ago
Applied in changeset commit:f2073fc5017d.
#4 Updated by Jan Klopper about 12 years ago
- Status changed from Resolved to Closed
- % Done changed from 70 to 100
tested, this works correctly now
TemplateConditional statements must now use only tag variables. These now get a local name that is stored in a dictionary for eval(expr, locals=). This resolves #598.