In order of pref I'd say:

  o base64 encode the URL's and surround with some text that says its only 
useful for the webserver administrator.
  o remove the URLs

> On Apr 12, 2018, at 7:46 AM, Eric Covener <cove...@gmail.com> wrote:
> 
> Scanners at $dayjob (and reports on security@) frequently report that
> built-in error documents suffer from non-xss HTML injection from the
> request URL.
> 
> Here are a few options to silencing these scans/reports:
> 
> [ ] remove the URL's
> [ ] truncate them
> [ ] put them in HTML comments
> [ ] use CSS to make some <spoiler>-like tag
> [ ] use CSS to make the URL non-selectable/copyable
> [ ] base64 encode the URL's and surround with some text that says its
> only useful for the webserver administrator.
> [ ] use r->the_request or r->unparsed_uri or re-encode the decoded URI
> so spaces can't be used.
> 
> I was initially leaning towards the CSS options, but after tinkering
> with a spoiler tag you still have something tempting to copy/paste.
> 
> Now I am thinking base64  + html comments is the best. This does make
> screenshots of error documents kind of useless, but we still have
> access logs.
> 
> We could also make all of this configurable so whatever obfuscates the
> URL could provide different methods.
> 
> Any other ideas / preferences?
> 
> -- 
> Eric Covener
> cove...@gmail.com

Reply via email to