You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rivet-dev@tcl.apache.org by bu...@apache.org on 2013/08/29 08:33:10 UTC
[Bug 55496] New: parray should sgml escape unsafe characters
https://issues.apache.org/bugzilla/show_bug.cgi?id=55496
Bug ID: 55496
Summary: parray should sgml escape unsafe characters
Product: Rivet
Version: 2.1.1
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Rivet Core Commands
Assignee: rivet-dev@tcl.apache.org
Reporter: jlawson-apache@bovine.net
CC: mxmanghi@apache.org
The Rivet replacement for "parray" should probably perform escape_sgml_chars on
the name and value of all text it is displaying.
Since parray is already outputting some HTML formatting (bold and pre), the
developer is expecting that the output be fully HTML-safe text. If the array
happens to contain unsafe characters, there could potentially be a cross-site
scripting vulnerability.
It would be common to expect that a developer might want to use parray to print
out debugging information (stack, environment variables, or form submissions)
as a part of a generic traceback handler, but this might be unsafe due to the
lack of automatic escaping.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org
[Bug 55496] parray should sgml escape unsafe characters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55496
Massimo Manghi <mx...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.1.1 |trunk
OS| |All
--- Comment #1 from Massimo Manghi <mx...@apache.org> ---
array names too should be escaped, correct?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org
[Bug 55496] parray should sgml escape unsafe characters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55496
--- Comment #2 from Jeff Lawson <jl...@bovine.net> ---
Sure, escape anything that might be a user-manipulated string.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org
[Bug 55496] parray should sgml escape unsafe characters
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55496
Massimo Manghi <mx...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|trunk |2.1.2
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscribe@tcl.apache.org
For additional commands, e-mail: rivet-dev-help@tcl.apache.org