From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 2 Sep 2015 12:14:02 +0000 (+0200)
Subject: Prevent XSS by escaping user input
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~33^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c7f59d62064ccfb9f71e9db8b1e139b355310564;p=pdns

Prevent XSS by escaping user input

Additionally, escape "'s so no attributes can be inserted into webpages.

Thanks to Pierre Jaury and Damien Cauquil at Sysdream for pointing this
out.
---

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 9ad8efebe..9629fb2cb 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -122,6 +122,9 @@ static string htmlescape(const string &s) {
     case '>':
       result += "&gt;";
       break;
+    case '"':
+      result += "&quot;";
+      break;
     default:
       result += *it;
     }
@@ -141,15 +144,15 @@ void printtable(ostringstream &ret, const string &ringname, const string &title,
   }
 
   ret<<"<div class=\"panel\">";
-  ret<<"<span class=resetring><i></i><a href=\"?resetring="<<ringname<<"\">Reset</a></span>"<<endl;
+  ret<<"<span class=resetring><i></i><a href=\"?resetring="<<htmlescape(ringname)<<"\">Reset</a></span>"<<endl;
   ret<<"<h2>"<<title<<"</h2>"<<endl;
   ret<<"<div class=ringmeta>";
-  ret<<"<a class=topXofY href=\"?ring="<<ringname<<"\">Showing: Top "<<limit<<" of "<<entries<<"</a>"<<endl;
+  ret<<"<a class=topXofY href=\"?ring="<<htmlescape(ringname)<<"\">Showing: Top "<<limit<<" of "<<entries<<"</a>"<<endl;
   ret<<"<span class=resizering>Resize: ";
   unsigned int sizes[]={10,100,500,1000,10000,500000,0};
   for(int i=0;sizes[i];++i) {
     if(S.getRingSize(ringname)!=sizes[i])
-      ret<<"<a href=\"?resizering="<<ringname<<"&amp;size="<<sizes[i]<<"\">"<<sizes[i]<<"</a> ";
+      ret<<"<a href=\"?resizering="<<htmlescape(ringname)<<"&amp;size="<<sizes[i]<<"\">"<<sizes[i]<<"</a> ";
     else
       ret<<"("<<sizes[i]<<") ";
   }