Fix stored XSS in HTML report via unescaped Location: header (#3090)

pr_url() and pr_boldurl() interpolated their argument directly into
<a href="$1">$1</a> without HTML escaping. The most notable caller
passes the raw HTTP Location: header from the scanned server, so a
malicious HTTPS target could inject arbitrary HTML/JS into an
operator's --htmlfile report. Route both the href attribute and the
link text through the existing html_reserved() escaper, matching the
pattern already used by every other pr_* HTML-output function.
This commit is contained in:
Eric Gu
2026-07-11 22:32:49 -04:00
parent 21bf1ff19f
commit aad4894f77
3 changed files with 6 additions and 2 deletions
+3
View File
@@ -71,6 +71,9 @@ Full contribution, see git log.
* Christian Dresen
- Dockerfile
* Eric Gu
- HTML report XSS fix (escape server-controlled URLs, #3090)
* enxio
- support for TN3270/telnet STARTTLS