From 0ada7b100c773900375d4df5fb81a69e9d968d72 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 27 Feb 2017 11:49:51 -0500 Subject: [PATCH] Handle HTML reserved characters in headers So far I haven't seen any HTML reserved characters (&, <, >, ", ') in the strings processed by `emphasize_stuff_in_headers()`, so this PR may be unnecessary. However, this PR will ensure that any such characters will be properly escaped in the HTML output. --- testssl.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index 48fd55c..85aa370 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1926,7 +1926,9 @@ emphasize_stuff_in_headers(){ -e "s/X-AspNet-Version/${yellow}X-AspNet-Version${off}/g" if "$do_html"; then - html_out "$(tm_out "$1" | sed -e "s/\([0-9]\)/${html_brown}\1${html_off}/g" \ + html_out "$(tm_out "$1" | sed -e 's/\&/\&/g' \ + -e 's//\>/g' -e 's/"/\"/g' -e "s/'/\'/g" \ + -e "s/\([0-9]\)/${html_brown}\1${html_off}/g" \ -e "s/Debian/${html_yellow}\Debian${html_off}/g" \ -e "s/Win32/${html_yellow}\Win32${html_off}/g" \ -e "s/Win64/${html_yellow}\Win64${html_off}/g" \