Variables inserted in s_server -www output are not HTML-escaped. For
example:
$ mv server.key 'bhoiserver.key'
$ openssl s_server -cert server.crt -key 'bhoiserver.key' -www
...
$ curl -s -k https://localhost:4433/ | grep hoi
s_server -cert server.crt -key bhoiserver.key -www
When viewed in a browser, the whole page becomes bold from that point on.
I expect the same issue to apply to the client certificate report in this
output.
Instead of b, someone could insert JavaScript-code here to do nasty
things like steal cookies. Admittedly, getting into the right place to
do this on a production system is hard - but it's better to be safe than
sorry.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]