You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@activemq.apache.org by "Elliotte Rusty Harold (JIRA)" <ji...@apache.org> on 2008/01/03 15:43:43 UTC

[jira] Created: (AMQ-1534) Unescaped text messages in message detail

Unescaped text messages in message detail
-----------------------------------------

                 Key: AMQ-1534
                 URL: https://issues.apache.org/activemq/browse/AMQ-1534
             Project: ActiveMQ
          Issue Type: Bug
    Affects Versions: 5.0.0
         Environment: Browser
            Reporter: Elliotte Rusty Harold
            Priority: Critical


The new HTTP based queue view is very useful. However it has one really annoying bug that cost me some hours of debugging. Send a TextMessage to the queue containing a typical HTML or XML document such as 

<result></result>

Then look at that message in the web browser and look at the message detail to see the text of the message. The text appears to be blank, especially if the message only contains tags and white space as was the case for me. Even if it isn't completely blank, the tags will be missing.

The problem is that the text of the message is displayed raw and added to the HTML. This could even be a vector for XSS attacks since no escaping is performed.

Before displaying the text it should be escaped. That is, & should be converted to &amp; and < to &lt;. That should fix the critical problems. 



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (AMQ-1534) Unescaped text messages in message detail

Posted by "Rob Davies (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/activemq/browse/AMQ-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rob Davies resolved AMQ-1534.
-----------------------------

      Assignee: Rob Davies
    Resolution: Duplicate

duplicate of https://issues.apache.org/activemq/browse/AMQ-1013

> Unescaped text messages in message detail
> -----------------------------------------
>
>                 Key: AMQ-1534
>                 URL: https://issues.apache.org/activemq/browse/AMQ-1534
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.0.0
>         Environment: Browser
>            Reporter: Elliotte Rusty Harold
>            Assignee: Rob Davies
>            Priority: Critical
>
> The new HTTP based queue view is very useful. However it has one really annoying bug that cost me some hours of debugging. Send a TextMessage to the queue containing a typical HTML or XML document such as 
> <result></result>
> Then look at that message in the web browser and look at the message detail to see the text of the message. The text appears to be blank, especially if the message only contains tags and white space as was the case for me. Even if it isn't completely blank, the tags will be missing.
> The problem is that the text of the message is displayed raw and added to the HTML. This could even be a vector for XSS attacks since no escaping is performed.
> Before displaying the text it should be escaped. That is, & should be converted to &amp; and < to &lt;. That should fix the critical problems. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.