From: Nick Kew <niq@apache.org>
Date: Mon, 18 Sep 2017 21:20:51 +0000 (+0000)
Subject: mod_speling/PR 38923: don't embed Referer in link in error page.
X-Git-Tag: 2.5.0-alpha~114
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=463791458886012702cf94ca4164376434259932;p=apache

mod_speling/PR 38923: don't embed Referer in link in error page.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1808780 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index fc03f9fbee..6c49864344 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_speling: Don't embed referer data in a link in error page.
+     PR 38923 [Nick Kew]
+
   *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST is
      used in a condition that evaluates to true. PR 58231 [Luca Toscano]
 
diff --git a/modules/mappers/mod_speling.c b/modules/mappers/mod_speling.c
index d0ac5b2b98..b0f4b8fe0e 100644
--- a/modules/mappers/mod_speling.c
+++ b/modules/mappers/mod_speling.c
@@ -482,10 +482,10 @@ static int check_speling(request_rec *r)
             if (ref != NULL) {
                 *(const char **)apr_array_push(t) =
                                "Please consider informing the owner of the "
-                               "<a href=\"";
-                *(const char **)apr_array_push(t) = ap_escape_uri(sub_pool, ref);
-                *(const char **)apr_array_push(t) = "\">referring page</a> "
-                               "about the broken link.\n";
+                               "referring page <tt>";
+                *(const char **)apr_array_push(t) = ap_escape_html(sub_pool, ref);
+                *(const char **)apr_array_push(t) =
+                               "</tt> about the broken link.\n";
             }