[erlang-bugs] XSS in inets

Michael Santos <>
Tue May 12 03:11:14 CEST 2009

The inets httpd server does not perform output encoding on user input.

$ nc localhost 8080
GET /<b>blah</b> HTTP/1.0

HTTP/1.0 404 Object Not Found
Server: inets/5.0.13
Date: Tue, 12 May 2009 00:57:16 GMT
Content-Type: text/html
Content-Length: 206

           <TITLE>Object Not Found</TITLE>
       <H1>Object Not Found</H1>
The requested URL /<b>blah</b> was not found on this server.

The supplied markup in the entity body may be interpreted by the
browser, with the possibility of XSS, phishing, etc.


For the error page, maybe return "text/plain". A proper fix is to perform
HTML or URI encoding on any user supplied input that is subsequently

More information about the erlang-bugs mailing list