You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by bu...@apache.org on 2003/02/15 21:51:38 UTC
DO NOT REPLY [Bug 17102] New: -
Can't embed "<>" characters in paramValue data.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17102>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17102
Can't embed "<>" characters in paramValue data.
Summary: Can't embed "<>" characters in paramValue data.
Product: Commons
Version: Nightly Builds
Platform: All
OS/Version: Windows NT/2K
Status: NEW
Severity: Enhancement
Priority: Other
Component: Latka
AssignedTo: commons-dev@jakarta.apache.org
ReportedBy: Larry.Isaacs@sas.com
I'm unable to write tests that check for cross-site scripting vulnerabilities
because the <paramValue> tag adds text to the request that is unconditionally
XML escaped. Thus, the intended "<>" characters become literal "<"
and ">" in the request.
I'm not familiar with Latka enough to know if this is by design. If this
escaping isn't needed, changing ParamValueTag.java (along with
ParamNameTag.java plus RequestBodyTag.java for consistency) to use
"getBodyText(false)" would fix this.
In case the escaping is needed, I have attached a zip file that includes patches
for these files as well as suite.ent that adds an "escape" attribute to these
tags. Since the attribute text for the requestHeader tag is not escaped, the
patch as is makes not escaping the default as well. This is a change from
prior behavior. The internal tests and jakarta-watchdog-4.0/latka-scratch do
not appear to be affected by this change.
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org