OSCL/CLASH
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improved error response generation. We now keep track of the last

Browse Source 
request read on a connection, which allows us to generate the correct
type of response in case of an error which is handled through
`handle-server-error'.

Also added code to correctly escape text that is inserted into error
messages.  This is also a first step towards preventing cross-scripting
attacks through CLASH, although most of the code still has to be audited
for unfiltered passing through of user-supplied text.
This commit is contained in:
Pierre R. Mai
2001-02-07 14:06:14 +00:00
parent 57583b37ce
commit a803c62958
4 changed files with 56 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/main/parsing.cl
View File

@ -232,3 +232,20 @@ the list of values. All other entries are kept."
(cons value (cdr entry))
(list value (cdr entry))))
(push (cons key value) result))))
;;; HTML escaping for error messages.
;;; This is especially important to avoid cross-scripting client
;;; attacks through our server.
(defun escape-text-for-html (text)
(declare (type simple-string text))
(with-output-to-string (stream)
(loop for char of-type character across text
do
(case char
(#\< (write-string "&lt;" stream))
(#\> (write-string "&gt;" stream))
(#\& (write-string "&amp;" stream))
(#\" (write-string "&quot;" stream))
(t (write-char char stream))))))