#358 redirect.html is not secure, vulnerable to xss

devel (cvs)
open
nobody
None
5
2013-05-09
2013-05-09
John Dennis
No

Mozilla does not want epydoc produced documentation on any of their web sites because they believe redirect.html is insecure and vulnerable to xss, see this bug report:

https://bugzilla.mozilla.org/show_bug.cgi?id=830081

Comment #7 elucidates the fundamental issue, the dottedName variable is not escaped prior to being inserted into page content. Suggestions for fixing this include escaping the dottedName variable and/or providing an option to turn off the generation of the redirect.html file. FWIW it's not clear to me how useful the redirect feature is in the first place.

Discussion