mirror of
https://github.com/drwetter/testssl.sh.git
synced 2026-07-15 03:27:38 +02:00
Fix stored XSS in HTML report via unescaped Location: header (#3090)
Backport of the 3.3dev fix to the 3.2 branch. pr_url() and pr_boldurl() interpolated their argument directly into <a href="$1">$1</a> without HTML escaping. The most notable caller passes the raw HTTP Location: header from the scanned server, so a malicious HTTPS target could inject arbitrary HTML/JS into an operator's --htmlfile report. Route both the href attribute and the link text through the existing html_reserved() escaper, matching the pattern already used by every other pr_* HTML-output function.
This commit is contained in:
@@ -1,6 +1,10 @@
|
||||
|
||||
## Change Log
|
||||
|
||||
### Security fixes in 3.2.x
|
||||
|
||||
* Security fix: HTML-escape URLs in the HTML report to prevent stored XSS from a server-controlled `Location:` header (#3090)
|
||||
|
||||
### Features implemented / improvements in 3.2
|
||||
|
||||
* Rating (SSL Labs), as of 3.2.2 version 2009r
|
||||
|
||||
Reference in New Issue
Block a user