> On 12 Apr 2018, at 12:46, Eric Covener <cove...@gmail.com> wrote:
> 
> Scanners at $dayjob (and reports on security@) frequently report that
> built-in error documents suffer from non-xss HTML injection from the
> request URL.

Deja vu there.  I’m sure we’ve fixed some such, and done a grep on
the errordocs repo.  I guess the continuing flow comes from the
multiplicity of ways we might generate an error page.

> Here are a few options to silencing these scans/reports:

One more: insert an output filter when generating an error page.
Escape URLs and scripts to plain text and highlight them.
OK, it’s an overhead, but error pages are small.

A sysop could of course have the option to disable it.

— 
Nick Kew

Reply via email to