Variables inserted in s_server -www output are not HTML-escaped. For
example:

$ mv server.key 'hoiserver.key'
$ openssl s_server -cert server.crt -key 'hoiserver.key' -www
....
$ curl -s -k https://localhost:4433/ | grep hoi
s_server -cert server.crt -key hoiserver.key -www

When viewed in a browser, the whole page becomes bold from that point on.

I expect the same issue to apply to the client certificate report in this
output.

Instead of , someone could insert JavaScript-code here to do nasty
things like steal cookies. Admittedly, getting into the right place to
do this on a production system is hard - but it's better to be safe than
sorry.

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org