[sling-org-apache-sling-servlets-resolver] branch master updated: SLING-8388 : XSS possible in system console - servletresolver

[pa...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

pauls pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-servlets-resolver.git


The following commit(s) were added to refs/heads/master by this push:
     new 4e22103  SLING-8388 : XSS possible in system console - servletresolver
     new 26e4440  Merge pull request #4 from ashokpanghal/issues/SLING-8388
4e22103 is described below

commit 4e22103ca57917e89fe8475118011b4a6a054280
Author: Ashok Kumar <as...@adobe.com>
AuthorDate: Fri May 3 09:54:42 2019 +0530

    SLING-8388 : XSS possible in system console - servletresolver
---
 .../sling/servlets/resolver/internal/console/WebConsolePlugin.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java b/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java
index 58ffcf0..c3ee850 100644
--- a/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java
+++ b/src/main/java/org/apache/sling/servlets/resolver/internal/console/WebConsolePlugin.java
@@ -224,7 +224,7 @@ public class WebConsolePlugin extends HttpServlet {
                     // check for non-existing resources
                     if (ResourceUtil.isNonExistingResource(resource)) {
                         pw.println("The resource given by path '");
-                        pw.println(resource.getPath());
+                        pw.println(ResponseUtil.escapeXml(resource.getPath()));
                         pw.println("' does not exist. Therefore no resource type could be determined!<br/>");
                     }
                     pw.print("Candidate servlets and scripts in order of preference for method ");