Merge pull request #1066 from fimad/master

Fix XSS vulnerability in HTTP errors
2025-02-01 15:55:28 +00:00 · 2016-03-31 19:36:01 +02:00 · 2016-03-31 19:36:01 +02:00 · 06c6d88359
commit 06c6d88359
parent f1c5721c8c 55bffe1782
1 changed files with 2 additions and 1 deletions
--- a/mitmproxy/models/http.py
+++ b/mitmproxy/models/http.py
@ -1,5 +1,6 @@
 from __future__ import (absolute_import, print_function, division)
 from six.moves import http_cookies as Cookie
+import cgi
 import copy
 import warnings
 from email.utils import parsedate_tz, formatdate, mktime_tz
@ -429,7 +430,7 @@ def make_error_response(status_code, message, headers=None):
            </head>
            <body>%s</body>
        </html>
-    """.strip() % (status_code, response, message)
+    """.strip() % (status_code, response, cgi.escape(message))
    body = body.encode("utf8", "replace")

    if not headers: