diff options
author | Maximilian Hils <git@maximilianhils.com> | 2016-03-31 19:36:01 +0200 |
---|---|---|
committer | Maximilian Hils <git@maximilianhils.com> | 2016-03-31 19:36:01 +0200 |
commit | 06c6d883595a42f758d21679ebdd4bb4f02a5e93 (patch) | |
tree | a827bb2b3fdc1c0eb1e5a3f62264091f952f5e4a | |
parent | f1c5721c8c6bd2fea1e9f2c0c6fdea099c9ae3de (diff) | |
parent | 55bffe1782fc04697da4f76d5b8d0d1bd1636862 (diff) | |
download | mitmproxy-06c6d883595a42f758d21679ebdd4bb4f02a5e93.tar.gz mitmproxy-06c6d883595a42f758d21679ebdd4bb4f02a5e93.tar.bz2 mitmproxy-06c6d883595a42f758d21679ebdd4bb4f02a5e93.zip |
Merge pull request #1066 from fimad/master
Fix XSS vulnerability in HTTP errors
-rw-r--r-- | mitmproxy/models/http.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/mitmproxy/models/http.py b/mitmproxy/models/http.py index 40460182..f3d425aa 100644 --- a/mitmproxy/models/http.py +++ b/mitmproxy/models/http.py @@ -1,5 +1,6 @@ from __future__ import (absolute_import, print_function, division) from six.moves import http_cookies as Cookie +import cgi import copy import warnings from email.utils import parsedate_tz, formatdate, mktime_tz @@ -429,7 +430,7 @@ def make_error_response(status_code, message, headers=None): </head> <body>%s</body> </html> - """.strip() % (status_code, response, message) + """.strip() % (status_code, response, cgi.escape(message)) body = body.encode("utf8", "replace") if not headers: |