Thanks, patch applied.
On Thu, Mar 25, 2010 at 3:37 AM, J.P. Larocque jpl@thoughtcrime.us wrote:
Hi,
There are a few places where Hunchentoot generates HTML which directly include some strings, but the strings are plain-text and not HTML. In some cases you can see that the string can never coincidentally contain HTML or user-supplied input, so that's fine--I haven't touched these. In other cases, the string is determined from user input (at the HTTP level), so there's a danger of XSS attacks at these points.
The chance of a successful attack which exploits these flaws is probably low. In any case, I think Hunchentoot should always correctly encode these user-supplied strings as HTML, since the strings are treated as plain-text and are not already formatted as HTML.
A patch is attached. The changes are minimal and should speak for themselves.
Thanks,
-- J.P. Larocque jpl@thoughtcrime.us
tbnl-devel site list tbnl-devel@common-lisp.net http://common-lisp.net/mailman/listinfo/tbnl-devel