From: Simon McVittie <smcv@debian.org>
Date: Wed, 4 May 2016 07:46:02 +0000 (+0100)
Subject: HTML-escape error messages (OVE-20160505-0012)
X-Git-Tag: debian/3.20141016.3~16
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/3a72fd87c7214a508b67ac8dc3567a427240c9c8?hp=3a72fd87c7214a508b67ac8dc3567a427240c9c8

HTML-escape error messages (OVE-20160505-0012)

The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
---