Fix stored XSS in HTML report via unescaped Location: header (#3090)

Backport of the 3.3dev fix to the 3.2 branch.

pr_url() and pr_boldurl() interpolated their argument directly into
<a href="$1">$1</a> without HTML escaping. The most notable caller
passes the raw HTTP Location: header from the scanned server, so a
malicious HTTPS target could inject arbitrary HTML/JS into an
operator's --htmlfile report. Route both the href attribute and the
link text through the existing html_reserved() escaper, matching the
pattern already used by every other pr_* HTML-output function.
This commit is contained in:
Eric Gu
2026-07-11 23:22:42 -04:00
parent eb4d8183ee
commit 406e87a0a4
3 changed files with 9 additions and 2 deletions
+4
View File
@@ -1,6 +1,10 @@
## Change Log ## Change Log
### Security fixes in 3.2.x
* Security fix: HTML-escape URLs in the HTML report to prevent stored XSS from a server-controlled `Location:` header (#3090)
### Features implemented / improvements in 3.2 ### Features implemented / improvements in 3.2
* Rating (SSL Labs), as of 3.2.2 version 2009r * Rating (SSL Labs), as of 3.2.2 version 2009r
+3
View File
@@ -68,6 +68,9 @@ Full contribution, see git log.
* Christian Dresen * Christian Dresen
- Dockerfile - Dockerfile
* Eric Gu
- HTML report XSS fix (escape server-controlled URLs, #3090)
* enxio * enxio
- support for TN3270/telnet STARTTLS - support for TN3270/telnet STARTTLS
+2 -2
View File
@@ -739,8 +739,8 @@ tmln_fixme() { tmln_warning "Fixme: $1"; }
pr_fixme() { pr_warning "Fixme: $1"; } pr_fixme() { pr_warning "Fixme: $1"; }
prln_fixme() { prln_warning "Fixme: $1"; } prln_fixme() { prln_warning "Fixme: $1"; }
pr_url() { tm_out "$1"; html_out "<a href=\"$1\" style=\"color:black;text-decoration:none;\">$1</a>"; } pr_url() { tm_out "$1"; html_out "<a href=\"$(html_reserved "$1")\" style=\"color:black;text-decoration:none;\">$(html_reserved "$1")</a>"; }
pr_boldurl() { tm_bold "$1"; html_out "<a href=\"$1\" style=\"font-weight:bold;color:black;text-decoration:none;\">$1</a>"; } pr_boldurl() { tm_bold "$1"; html_out "<a href=\"$(html_reserved "$1")\" style=\"font-weight:bold;color:black;text-decoration:none;\">$(html_reserved "$1")</a>"; }
### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/ ### color switcher (see e.g. https://linuxtidbits.wordpress.com/2008/08/11/output-color-on-bash-scripts/
### https://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html ### https://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x405.html