From: Simon McVittie <smcv@debian.org>
Date: Wed, 4 May 2016 07:46:02 +0000 (+0100)
Subject: HTML-escape error messages (CVE-2016-4561)
X-Git-Tag: debian/3.20120629.2+deb7u2~47
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/bcfba8cdb50dcaca9faa182955825670efb15852?hp=bcfba8cdb50dcaca9faa182955825670efb15852

HTML-escape error messages (CVE-2016-4561)

The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012, CVE-2016-4561)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
---