[Catalyst] Malformed requests may break $c->req->uri_for()
Jonathan Rockway
jon at jrock.us
Fri Feb 20 17:34:36 GMT 2009
* On Fri, Feb 20 2009, Merlyn Kline wrote:
> One of the checks it does is basically this:
>
> telnet myserver 80
> GET <IMG%20SRC=\"javascript:alert(cross_site_scripting.nasl);\"> /
> HTTP/1.1
> Host: myserver
>
> So the returned page includes their XSS test code in any https links because
> I generated them from $c->req->uri_for()->as_string(), and so the security
> test fails.
The issue is that you need to escape the HTML output, right?
<IMG SRC="..."> should become, when linkified, <a href="<IMG
SRC="..."">.
If you do that, there's no security problem... although the link is
useless (which may be a secondary issue to deal with).
(If the security scanner complains about the escaped form, it's dumb.
It's not a security problem.)
Regards,
Jonathan Rockway
--
print just => another => perl => hacker => if $,=$"
More information about the Catalyst
mailing list