You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/06/23 10:08:22 UTC
[tomcat] branch 8.5.x updated: Fix CVE-2022-34305 XSS in the examples web application
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 5f6c88b054 Fix CVE-2022-34305 XSS in the examples web application
5f6c88b054 is described below
commit 5f6c88b054b0e4fbccff8b7f15974ed55d59a9f7
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 23 10:26:41 2022 +0100
Fix CVE-2022-34305 XSS in the examples web application
---
webapps/docs/changelog.xml | 4 ++++
webapps/examples/jsp/security/protected/index.jsp | 5 ++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3d3b3b864e..c1614a68f6 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,10 @@
Documentation. <bug>62245</bug>: Include <code>contextXsltFile</code>
when discussing options for configuring directory listings. (markt)
</fix>
+ <fix>
+ Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
+ Form authentication example. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/examples/jsp/security/protected/index.jsp b/webapps/examples/jsp/security/protected/index.jsp
index 31122eb361..148f22b1a3 100644
--- a/webapps/examples/jsp/security/protected/index.jsp
+++ b/webapps/examples/jsp/security/protected/index.jsp
@@ -95,7 +95,10 @@ To add some data to the authenticated session, enter it here:
while (names.hasMoreElements()) {
String name = names.nextElement();
%>
-<tr><td><%= name %></td><td><%= session.getAttribute(name) %></td>
+<tr>
+ <td><%= util.HTMLFilter.filter(name) %></td>
+ <td><%= util.HTMLFilter.filter(String.valueOf(session.getAttribute(name))) %></td>
+</tr>
<%
}
%>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org