On May 2, 2014 11:48 PM, "Daniel Kahn Gillmor" <
address@hidden> wrote:
On 05/02/2014 07:35 AM, Kristian Fiskerstrand wrote:
> A non-persistent client-side cross-site scripting attack was reported
> against SKS[0] resulting from improper input sanitation before writing
> to a client. The issue has been fixed in the development trunk[1] for
> inclusion in an upcoming 1.1.5 release.
Thanks for sorting this out, Kristian.
I'm looking at your patch
378:88d453cdc858, and i note that it wraps s in HtmlTemplates.html_quote
in wserver.ml in many places, mostly where ~body: is being set, but also
in some cases where s shows up as an argument to plerror (e.g. in
Bad_request).
However, there are other invocations of plerror in the same section
where s doesn't get html_quote'ed (e.g. in Page_not_found).
I don't see where plerror is defined, actually, other than the interface
declared in common.mli, so i'm not sure whether plerror needs escaping
or not.
But it seems like they should either all be escaped or none. Is there a
reason to do some and not others?
--dkg