You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@perl.apache.org by Markus Wichitill <ma...@gmx.de> on 2004/10/05 20:12:59 UTC

[PATCH] Escape HTML in Apache::Status data and env dump

The fact that HTML in dumped variables in Apache::Status messes up the 
output has always bugged me, and this is also a potential XSS security 
issue, so here's a patch to escape the markup.

Index: lib/Apache/Status.pm
===================================================================
RCS file: /home/cvspublic/modperl-2.0/lib/Apache/Status.pm,v
retrieving revision 1.29
diff -u -r1.29 Status.pm
--- lib/Apache/Status.pm	28 Sep 2004 03:42:39 -0000	1.29
+++ lib/Apache/Status.pm	5 Oct 2004 17:47:18 -0000
@@ -363,7 +363,8 @@
      }
      push @retval, "\n</p>\n";
      push @retval, "<pre>",
-        (map "$_ = " . ($ENV{$_}||'') . "\n", sort keys %ENV), "</pre>";
+        (map "$_ = " . (esc_HTML($ENV{$_})||'') . "\n",
+            sort keys %ENV), "</pre>";

      \@retval;
  }
@@ -409,6 +410,7 @@
      no strict 'refs';
      my @retval = "<p>\nData Dump of $name $type\n</p>\n<pre>\n";
      my $str = Data::Dumper->Dump([*$name{$type}], ['*'.$name]);
+    $str = esc_HTML($str);
      $str =~ s/= \\/= /; #whack backwack
      push @retval, $str, "\n";
      push @retval, peek_link($r, $q, $name, $type);
@@ -826,6 +828,16 @@
      push @m, "</table>";

      return join "\n", @m, "<hr>", b_package_size_link($r, $q, $package);
+}
+
+sub esc_HTML {
+    my $str = shift;
+
+    $str =~ s/&/&amp;/g;
+    $str =~ s/</&lt;/g;
+    $str =~ s/>/&gt;/g;
+
+    return $str;
  }

  sub myconfig {

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org

Re: [PATCH] Escape HTML in Apache::Status data and env dump

Posted by Stas Bekman <st...@stason.org>.

Markus Wichitill wrote:
> The fact that HTML in dumped variables in Apache::Status messes up the 
> output has always bugged me, and this is also a potential XSS security 
> issue, so here's a patch to escape the markup.

Thanks Markus! Commmitted with minor tweaks.

-- 
__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org