subject:"\[openssl.org #1724\] s_server does not escape HTML"

[openssl.org #1724] s_server does not escape HTML

2014-08-14 Thread Rich Salz via RT

This will be fixed in post-1.0.2 release.
In -www mode, s_server escapes the three special charactersby writing
their entities
isntead.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #1724] s_server does not escape HTML

2008-08-01 Thread [EMAIL PROTECTED] via RT

Variables inserted in s_server -www output are not HTML-escaped. For
example:

$ mv server.key 'bhoiserver.key'
$ openssl s_server -cert server.crt -key 'bhoiserver.key' -www 
...
$ curl -s -k https://localhost:4433/ | grep hoi
s_server -cert server.crt -key bhoiserver.key -www

When viewed in a browser, the whole page becomes bold from that point on.

I expect the same issue to apply to the client certificate report in this
output.

Instead of b, someone could insert JavaScript-code here to do nasty
things like steal cookies. Admittedly, getting into the right place to
do this on a production system is hard - but it's better to be safe than
sorry.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1724] s_server does not escape HTML

[openssl.org #1724] s_server does not escape HTML

2 matches

Site Navigation

Mail list logo

Footer information