Revision: 4522 Author: edi URL: http://bknr.net/trac/changeset/4522
Safeguard measures against XSS attacks (J.P. Larocque)
U trunk/thirdparty/hunchentoot/CHANGELOG U trunk/thirdparty/hunchentoot/headers.lisp U trunk/thirdparty/hunchentoot/util.lisp
Modified: trunk/thirdparty/hunchentoot/CHANGELOG =================================================================== --- trunk/thirdparty/hunchentoot/CHANGELOG 2010-03-23 12:57:15 UTC (rev 4521) +++ trunk/thirdparty/hunchentoot/CHANGELOG 2010-03-30 13:22:17 UTC (rev 4522) @@ -1,3 +1,4 @@ +Safeguard measures against XSS attacks (J.P. Larocque) Prevent potential leak when closing stream (Matt Lamari, Martin Simmons) Change some occurrences of HANDLER-CASE* to HANDLER-CASE (Hans Hübner, Allan Dee)
Modified: trunk/thirdparty/hunchentoot/headers.lisp =================================================================== --- trunk/thirdparty/hunchentoot/headers.lisp 2010-03-23 12:57:15 UTC (rev 4521) +++ trunk/thirdparty/hunchentoot/headers.lisp 2010-03-30 13:22:17 UTC (rev 4522) @@ -157,15 +157,15 @@ ((#.+http-internal-server-error+) content) ((#.+http-moved-temporarily+ #.+http-moved-permanently+) (format nil "The document has moved <a href='~A'>here</a>" - (header-out :location))) + (escape-for-html (header-out :location)))) ((#.+http-authorization-required+) "The server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.") ((#.+http-forbidden+) (format nil "You don't have permission to access ~A on this server." - (script-name request))) + (escape-for-html (script-name request)))) ((#.+http-not-found+) (format nil "The requested URL ~A was not found on this server." - (script-name request))) + (escape-for-html (script-name request)))) ((#.+http-bad-request+) "Your browser sent a request that this server could not understand.") (otherwise ""))
Modified: trunk/thirdparty/hunchentoot/util.lisp =================================================================== --- trunk/thirdparty/hunchentoot/util.lisp 2010-03-23 12:57:15 UTC (rev 4521) +++ trunk/thirdparty/hunchentoot/util.lisp 2010-03-30 13:22:17 UTC (rev 4522) @@ -302,7 +302,7 @@ +implementation-link+ (escape-for-html (lisp-implementation-type)) (escape-for-html (lisp-implementation-version)) - (or (host *request*) (acceptor-address *acceptor*)) + (escape-for-html (or (host *request*) (acceptor-address *acceptor*))) (scan ":\d+$" (or (host *request*) "")) (acceptor-port *acceptor*)))