diff options
| author | Simon McVittie <smcv@debian.org> | 2016-05-04 08:46:02 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2016-05-05 23:43:17 +0100 |
| commit | 32ef584dc5abb6ddb9f794f94ea0b2934967bba7 (patch) | |
| tree | 0610975a5b3b70b785999dc2dd7fa1a4ef53ae30 /IkiWiki.pm | |
| parent | 355ba851378a8194fa62db4be97015f0675d34aa (diff) | |
| download | ikiwiki-32ef584dc5abb6ddb9f794f94ea0b2934967bba7.tar ikiwiki-32ef584dc5abb6ddb9f794f94ea0b2934967bba7.tar.gz | |
HTML-escape error messages (OVE-20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)
The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
Diffstat (limited to 'IkiWiki.pm')
| -rw-r--r-- | IkiWiki.pm | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm index 0f27ac419..fa71f4791 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -1647,6 +1647,8 @@ sub preprocess ($$$;$$) { if ($@) { my $error=$@; chomp $error; + eval q{use HTML::Entities}; + $error = encode_entities($error); $ret="[[!$command <span class=\"error\">". gettext("Error").": $error"."</span>]]"; } |