HTML-escape error messages (OVE-20160505-0012)

The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 0f27ac419d625aea235184f54fd889a0523ffcfa..fa71f479107a2388fde2fe00a67bfa2daa4fb3a9 100644 (file)
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -1647,6 +1647,8 @@ sub preprocess ($$$;$$) {
                                if ($@) {
                                        my $error=$@;
                                        chomp $error;
+                                       eval q{use HTML::Entities};
+                                       $error = encode_entities($error);
                                        $ret="[[!$command <span class=\"error\">".
                                                gettext("Error").": $error"."</span>]]";
                                }

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index cbc2fe8eb0c6ce8b0e2b6ac5089e42fdd79b7037..243662386a55f84fc21c6959e136b4de3eaec27c 100644 (file)
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -488,6 +488,9 @@ sub cgi (;$$) {
 sub cgierror ($) {
        my $message=shift;
 
+       eval q{use HTML::Entities};
+       $message = encode_entities($message);
+
        print "Content-type: text/html\n\n";
        print cgitemplate(undef, gettext("Error"),
                "<p class=\"error\">".gettext("Error").": $message</p>");