Created attachment 22455 [details] Test JSP Hi everyone, There is an old post from Matt Raible regarding an XSS vulnerability present in all tomcat installations by default: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss The JSP I have attached shows a quick-and-dirty test to inject arbitrary HTML into your page using EL expressions like ${foobar}. I know that "<c:out>" can be used as a workaround, but it is quite verbose and easy to miss. As part of my job as a developer of Loom (http://www.loom.extrema-sistemas.com/) I have prepared a patch for Generator.java so XML content obtained from EL expressions can be configured to be escaped defaulting to false (to keep current behavior, but maybe true would be the safe bet here). Regards Rafa
Created attachment 22456 [details] Patch Here is the patch for the trunk. To start escaping XML content just add "-Dgenerator.escapeXml=true" to your VM arguments.
I don't see a need for this to be a system property. It should be another parameter on the JSP Servlet like trimSpaces. Could you re-work the patch?
Created attachment 22472 [details] Reworked patch Hi Mark, I think you are right about the way this should be configured, so here is the new patch. The JspServlet parameter to en/disable XML escaping is named escapeXml. BTW, I have changed the current behavior, so ${foo} escapes XML by default. Regards Rafa
Thanks for this. There are some other EL issues I want to get fixed first and then I'll look at integrating this patch. I'll change the default though to the current, spec compliant, behaviour.
The default value should probably be (! strict_spec_complaince), and the name of the parameter should be fixed so that it refers to EL. escapeElOutput ?
This seems similar to the enhancement request I added last September: https://issues.apache.org/bugzilla/show_bug.cgi?id=43497
*** This bug has been marked as a duplicate of bug 43497 ***