Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
2.7.2
-
None
-
Security Level: No security risk; visible to anyone (Ordinary problems in Xalan projects. Anybody can view the issue.)
-
None
Description
While looking into packaging xalan in Guix (https://issues.guix.gnu.org/32947#30), I noticed some code that doesn't seem quite right. In Document.getStatistics():
out.println("<h2>DOM cache statistics</h2><center><table border=\"2\">"+
"<tr><td><b>Document URI</b></td>"+ [...])
an URL is put in the 'href' field. But the URL doesn't seem to be escaped anywhere. What if the URL is, say, "https://foo.bar/index.php?this=that&foo;car=bar"? Wouldn't that make the XML malformed? I could easily have missed something here though ...
(TBC, I did not encounter this in the wild, I'm just looking at source code)