Follow up to #1143 and #1150.
This splits the DETAILS variable of errors 400 and 502 into 3 hexadecimal buffers SUCCESSFULLY_PARSED, PARTIALLY_PARSED, and INVALID. This avoids any XSS attacks from this variable. The last valid header/trailer/cookie has also been removed from MESSAGE.
The new 400 and 502 use JavaScript to display the hexadecimal buffers as utf-8 (using the safe innerText) and hopefully help the client fix the problem:
Keksoj
commented
2 weeks ago
Follow up to #1143 and #1150. This splits the
DETAILSvariable of errors 400 and 502 into 3 hexadecimal buffersSUCCESSFULLY_PARSED,PARTIALLY_PARSED, andINVALID. This avoids any XSS attacks from this variable. The last valid header/trailer/cookie has also been removed fromMESSAGE. The new 400 and 502 use JavaScript to display the hexadecimal buffers as utf-8 (using the safeinnerText) and hopefully help the client fix the problem: