Bug 47050 - StandardHostValve.status unnecessarily HTML-escapes the error message
Summary: StandardHostValve.status unnecessarily HTML-escapes the error message
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.18
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords: ErrorMessage
Depends on:
Blocks:
 
Reported: 2009-04-19 01:59 UTC by Roland Illig
Modified: 2009-06-03 10:23 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Roland Illig 2009-04-19 01:59:15 UTC
I have written a JSP page that prints all request attributes verbatimly to the output. When I access it as

    http://localhost:8100/roland/404&

it outputs the following HTML code:

 <body>
javax.servlet.error.message=/roland/404&amp;amp;<br>
javax.servlet.error.request_uri=/roland/404&amp;<br>
...
 </body>

I was surprised that the error.message has been HTML-escaped, but the error.request hasn't. What's the intention of this escaping? It feels like Catalina is imitating PHP's magic-quotes here, which it shouldn't.

In my opinion, the error message should be copied to the request attribute as-is and not being passed through RequestUtil.filter, so the programmer can write it to log files or a text/plain error page without unfiltering it first.
Comment 1 Mark Thomas 2009-05-01 08:35:29 UTC
I fixed this for trunk as I can't see any negative security (XSS) impact. I'll leave it a little while before proposing for backport in case others see something I missed.
Comment 2 Mark Thomas 2009-06-03 10:23:16 UTC
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.