You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by "markt-asf (via GitHub)" <gi...@apache.org> on 2023/05/24 11:08:42 UTC

[GitHub] [tomcat] markt-asf commented on pull request #621: Bug 66609 - invalid XML in directory listing with file names containing "&" and "'"

markt-asf commented on PR #621:
URL: https://github.com/apache/tomcat/pull/621#issuecomment-1560920115

   (Ab)using the URLEncoder for this seems wrong. Tomcat has a class specifically for escaping values in content - `org.apache.tomcat.util.security.Escape`. The fix should use this.
   
   Further, it appears that there are still multiple implementations of XML escaping in the Tomcat code base. These need to be rationalised to use `Escape` class.
   
   I agree having a test case for this is an improvement. I'd like to see that test case cover all the XML characters that need to be escaped and also test the WebDAV case as well as the directory listing case.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org