Permalink
Browse files

Prevent XSS by escaping user input

Additionally, escape "'s so no attributes can be inserted into webpages.

Thanks to Pierre Jaury and Damien Cauquil at Sysdream for pointing this
out.
  • Loading branch information...
1 parent ddc9a4f commit 416d252f977cae447c2bf4fa9a6ba89480fb07dd @pieterlexis pieterlexis committed Sep 2, 2015
Showing with 6 additions and 3 deletions.
  1. +6 −3 pdns/ws-auth.cc
View
@@ -122,6 +122,9 @@ static string htmlescape(const string &s) {
case '>':
result += ">";
break;
+ case '"':
+ result += """;
+ break;
default:
result += *it;
}
@@ -141,15 +144,15 @@ void printtable(ostringstream &ret, const string &ringname, const string &title,
}
ret<<"<div class=\"panel\">";
- ret<<"<span class=resetring><i></i><a href=\"?resetring="<<ringname<<"\">Reset</a></span>"<<endl;
+ ret<<"<span class=resetring><i></i><a href=\"?resetring="<<htmlescape(ringname)<<"\">Reset</a></span>"<<endl;
ret<<"<h2>"<<title<<"</h2>"<<endl;
ret<<"<div class=ringmeta>";
- ret<<"<a class=topXofY href=\"?ring="<<ringname<<"\">Showing: Top "<<limit<<" of "<<entries<<"</a>"<<endl;
+ ret<<"<a class=topXofY href=\"?ring="<<htmlescape(ringname)<<"\">Showing: Top "<<limit<<" of "<<entries<<"</a>"<<endl;
ret<<"<span class=resizering>Resize: ";
unsigned int sizes[]={10,100,500,1000,10000,500000,0};
for(int i=0;sizes[i];++i) {
if(S.getRingSize(ringname)!=sizes[i])
- ret<<"<a href=\"?resizering="<<ringname<<"&amp;size="<<sizes[i]<<"\">"<<sizes[i]<<"</a> ";
+ ret<<"<a href=\"?resizering="<<htmlescape(ringname)<<"&amp;size="<<sizes[i]<<"\">"<<sizes[i]<<"</a> ";
else
ret<<"("<<sizes[i]<<") ";
}

0 comments on commit 416d252

Please sign in to comment.