aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMaximilian Hils <git@maximilianhils.com>2016-03-31 19:36:01 +0200
committerMaximilian Hils <git@maximilianhils.com>2016-03-31 19:36:01 +0200
commit06c6d883595a42f758d21679ebdd4bb4f02a5e93 (patch)
treea827bb2b3fdc1c0eb1e5a3f62264091f952f5e4a
parentf1c5721c8c6bd2fea1e9f2c0c6fdea099c9ae3de (diff)
parent55bffe1782fc04697da4f76d5b8d0d1bd1636862 (diff)
downloadmitmproxy-06c6d883595a42f758d21679ebdd4bb4f02a5e93.tar.gz
mitmproxy-06c6d883595a42f758d21679ebdd4bb4f02a5e93.tar.bz2
mitmproxy-06c6d883595a42f758d21679ebdd4bb4f02a5e93.zip
Merge pull request #1066 from fimad/master
Fix XSS vulnerability in HTTP errors
-rw-r--r--mitmproxy/models/http.py3
1 files changed, 2 insertions, 1 deletions
diff --git a/mitmproxy/models/http.py b/mitmproxy/models/http.py
index 40460182..f3d425aa 100644
--- a/mitmproxy/models/http.py
+++ b/mitmproxy/models/http.py
@@ -1,5 +1,6 @@
from __future__ import (absolute_import, print_function, division)
from six.moves import http_cookies as Cookie
+import cgi
import copy
import warnings
from email.utils import parsedate_tz, formatdate, mktime_tz
@@ -429,7 +430,7 @@ def make_error_response(status_code, message, headers=None):
</head>
<body>%s</body>
</html>
- """.strip() % (status_code, response, message)
+ """.strip() % (status_code, response, cgi.escape(message))
body = body.encode("utf8", "replace")
if not headers: