> On 12 Apr 2018, at 12:46, Eric Covener <cove...@gmail.com> wrote: > > Scanners at $dayjob (and reports on security@) frequently report that > built-in error documents suffer from non-xss HTML injection from the > request URL.
Deja vu there. I’m sure we’ve fixed some such, and done a grep on the errordocs repo. I guess the continuing flow comes from the multiplicity of ways we might generate an error page. > Here are a few options to silencing these scans/reports: One more: insert an output filter when generating an error page. Escape URLs and scripts to plain text and highlight them. OK, it’s an overhead, but error pages are small. A sysop could of course have the option to disable it. — Nick Kew