In order of pref I'd say: o base64 encode the URL's and surround with some text that says its only useful for the webserver administrator. o remove the URLs
> On Apr 12, 2018, at 7:46 AM, Eric Covener <[email protected]> wrote: > > Scanners at $dayjob (and reports on security@) frequently report that > built-in error documents suffer from non-xss HTML injection from the > request URL. > > Here are a few options to silencing these scans/reports: > > [ ] remove the URL's > [ ] truncate them > [ ] put them in HTML comments > [ ] use CSS to make some <spoiler>-like tag > [ ] use CSS to make the URL non-selectable/copyable > [ ] base64 encode the URL's and surround with some text that says its > only useful for the webserver administrator. > [ ] use r->the_request or r->unparsed_uri or re-encode the decoded URI > so spaces can't be used. > > I was initially leaning towards the CSS options, but after tinkering > with a spoiler tag you still have something tempting to copy/paste. > > Now I am thinking base64 + html comments is the best. This does make > screenshots of error documents kind of useless, but we still have > access logs. > > We could also make all of this configurable so whatever obfuscates the > URL could provide different methods. > > Any other ideas / preferences? > > -- > Eric Covener > [email protected]
