https://issues.apache.org/bugzilla/show_bug.cgi?id=55496
Bug ID: 55496
Summary: parray should sgml escape unsafe characters
Product: Rivet
Version: 2.1.1
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Rivet Core Commands
Assignee: rivet-dev@tcl.apache.org
Reporter: jlawson-apa...@bovine.net
CC: mxman...@apache.org
The Rivet replacement for "parray" should probably perform escape_sgml_chars on
the name and value of all text it is displaying.
Since parray is already outputting some HTML formatting (bold and pre), the
developer is expecting that the output be fully HTML-safe text. If the array
happens to contain unsafe characters, there could potentially be a cross-site
scripting vulnerability.
It would be common to expect that a developer might want to use parray to print
out debugging information (stack, environment variables, or form submissions)
as a part of a generic traceback handler, but this might be unsafe due to the
lack of automatic escaping.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscr...@tcl.apache.org
For additional commands, e-mail: rivet-dev-h...@tcl.apache.org
