Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Potential for reflected XSS in development mode 404 page #883

Merged
merged 1 commit into from Sep 21, 2014

Conversation

Projects
None yet
3 participants

ab commented Jun 12, 2014

I don't believe this affects any major browsers since you need a browser that isn't doing URL encoding, but for clients that will pass the URL unmodified there is an XSS in the development mode 404 page.

e.g. curl http://example.com/1<script>prompt(document.domain)</ScRiPt>

request.path_info is echoed directly onto the page:

<pre>#{code}</pre>

Andy Brody Escape HTML in the 404 page.
There is a reflected XSS in the development mode 404 page for clients
that don't URL-encode the request path. (I'm not aware of any major
browsers that do this, but you can see the idea with cURL.)
26cb215
Contributor

vipulnsward commented Sep 21, 2014

Doesn't break anything, but would be good to have.

@rkh rkh added a commit that referenced this pull request Sep 21, 2014

@rkh rkh Merge pull request #883 from ab/404-xss
Potential for reflected XSS in development mode 404 page
4e92d60

@rkh rkh merged commit 4e92d60 into sinatra:master Sep 21, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

@rkh rkh added a commit that referenced this pull request Sep 11, 2015

@rkh rkh Merge pull request #883 from ab/404-xss
Potential for reflected XSS in development mode 404 page
4ae71a6

@ab ab deleted the ab:404-xss branch Jan 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment