vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-29 07:29:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixes XSS in dissected HTTP URLs, TLS certs, and DNS names

Browse source 
Fixes possible XSS due to forged HTTP urls such as

curl -u admin:admin1 "http://devel:3000/</a><script>alert(1);</script><a>"

Similar attacks could have been performed with TLS certs and DNS names
This commit is contained in:
Simone Mainardi 2020-06-03 19:00:38 +02:00
parent c650e13963
commit 17bfc850b1
3 changed files with 31 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/lua/modules/lua_utils.lua
View file

@ -1053,14 +1053,6 @@ function getTopInterfaceHosts(howmany, localHostsOnly)
return(ret)
end
function http_escape(s)
s = string.gsub(s, "([&=+%c])", function (c)
return string.format("%%%02X", string.byte(c))
end)
s = string.gsub(s, " ", "+")
return s
end
-- Windows fixes for interfaces with "uncommon chars"
function purifyInterfaceName(interface_name)
-- io.write(debug.traceback().."\n")
@ -2236,16 +2228,6 @@ end
-- ##############################################
function escapeHTML(s)
s = string.gsub(s, "([&=+%c])", function (c)
return string.format("%%%02X", string.byte(c))
end)
s = string.gsub(s, " ", "+")
return s
end
-- ##############################################
function unescapeHTML(s)
local unesc = function (h)
local res = string.char(tonumber(h, 16))