Summary: | XSS patch for EL | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | Rafael Serrano <werkins> |
Component: | Jasper | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED DUPLICATE | ||
Severity: | major | CC: | mraible |
Priority: | P2 | Keywords: | PatchAvailable |
Version: | unspecified | ||
Target Milestone: | default | ||
Hardware: | All | ||
OS: | All | ||
Attachments: |
Test JSP
Patch Reworked patch |
Description
Rafael Serrano
2008-08-19 08:15:41 UTC
Created attachment 22456 [details]
Patch
Here is the patch for the trunk.
To start escaping XML content just add "-Dgenerator.escapeXml=true" to your VM arguments.
I don't see a need for this to be a system property. It should be another parameter on the JSP Servlet like trimSpaces. Could you re-work the patch? Created attachment 22472 [details]
Reworked patch
Hi Mark,
I think you are right about the way this should be configured, so here is the new patch. The JspServlet parameter to en/disable XML escaping is named escapeXml.
BTW, I have changed the current behavior, so ${foo} escapes XML by default.
Regards
Rafa
Thanks for this. There are some other EL issues I want to get fixed first and then I'll look at integrating this patch. I'll change the default though to the current, spec compliant, behaviour. The default value should probably be (! strict_spec_complaince), and the name of the parameter should be fixed so that it refers to EL. escapeElOutput ? This seems similar to the enhancement request I added last September: https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 |