This bug goes much deaper than only FTP listings. Squid needs a serious
update in how it generates in HTML output to make sure HTML coding rules
are properly obeyed. This is FTP listings, error pages, gopher, wais and
what else where Squid generates HTML output.
At a minimum < > & and their equivalents with the eith bit set needs to
be properly encoded as < > & &#bc; &#be; &#a6;. The 8-bit
variants is due to bugs in some browser versions which otherwise
misreads them as their 7-bit versions... Note: this applies everywhere,
text as well as in A HREF.
Currently Squid will generate malformed HTML output in many cases, and I
believe are also quite sensitive to cross-site scripting issues.
-- Henrik Nordstrom Squid Hacker Paul Laws wrote: > > Hi, > > I've been testing squid's FTP->HTML translation out, and it's very good. > However, if a directory or filename contains a '<' (less than) character, > this is passed through to the browser. > > I think this should probably be changed to the sequence '<' (ampersand > letter-l, letter-t, semi-colon). > > The squid version I'm using is 2.2 stable 3. > I'm running Linux slackware 3.4, with kernel version 2.0.36. > > I've patched the source code in ftp.c manually, but is there an official > fix? > > Thanks in advance, > Paul. > -- > mailto:p-laws@dircon.co.uk > http://www.p-laws.users.dircon.co.ukReceived on Tue Aug 15 2000 - 15:49:42 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:35 MST