And update the testsuite accordingly.
Stacktraces have a dump of arguments for function calls nowadays. Without escaping HTML special characters, it is possible to make yaws_outmod:crashmsg/3 dump strings containing something like "</pre><script>alert('Hello, XSS!')</script>" and thus results in a XSS vulnerability.
… to path
For rebar builds, rather than treating ibrowse as a normal dependency even though it's used only for testing, make rebar.config.script check for the existence of a .rebar/YAWS_DEV_MODE file and only if present, add ibrowse as a dependency. This allows projects that use Yaws as a rebar dependency to avoid having to pull in ibrowse. (Credit goes to Seth Falcon for this idea; he added something like this to the Basho webmachine project for a test-only dependency there, and I borrowed his idea for Yaws.)
* Don't ignore SSL protocol_version in embedded mode * Stop setting global default SSL protocol_version * Warning that R16B01 is required to SSL protocol_version After testing R14B02+ with `application:set_env(ssl, protocol_version, X)` and passing `versions` to `ssl:listen`, it looks like only R16B01+ follows the settings. References: - https://travis-ci.org/capflam/otp-ssl-test/builds/44369449 - http://erlang.org/pipermail/erlang-questions/2014-October/081388.html - #192 Fix pull request #193
It seems that we hit the bug OTP-9214 on Travis. This has worked in the past. But now, for an unknown reason, the testsuite fails on R14B02 because of this bug.
Fix issue #191