Variables inserted in s_server -www output are not HTML-escaped. For

$ mv server.key 'hoiserver.key'
$ openssl s_server -cert server.crt -key 'hoiserver.key' -www
$ curl -s -k https://localhost:4433/ | grep hoi
s_server -cert server.crt -key hoiserver.key -www

When viewed in a browser, the whole page becomes bold from that point on.

I expect the same issue to apply to the client certificate report in this

Instead of , someone could insert JavaScript-code here to do nasty
things like steal cookies. Admittedly, getting into the right place to
do this on a production system is hard - but it's better to be safe than

__________________________________________________ ____________________
OpenSSL Project
Development Mailing List
Automated List Manager