On Solaris you can have a file or directory name called "<b>xxx" or "<i>yyy". Using Tomcat's listings feature, you get a directory listing with the file name in bold or italics. I am not familiar with Javascript or cross-site scripting security problems, but I believe Tomcat escapes XML characters like ">" and "<" to prevent client browsers to interpret HTML codes that are not intended to be interpreted as such for the default error page. I think the same should be done for listings, or a warning should be added to the documentation not to use it if you have no control over the file/directory names you list.
Created attachment 19093 [details] Patch to DefaultServlet.java that HTML-encodes filenames for directory indexing
Confirmed on Linux as well. I'm attaching a simple patch that incorporates basic HTML encoding into o.a.catalina.servlets.DefaultServlet when outputting a directory index (whether as HTML or XML). The method in question is basically the same as used in o.a.catalina.util.DOMWriter and in HTMLFilter.java in the JSR152/154 examples.
Thanks Chris! BTW: the file/directory names should be "<b>xxx<b>", "<i>yyy<i>" to get the HTML code interpreted by the browser. Somehow I lost the end tags in my posting. I tried jarring them up and unjarring them to Windows to see if I could reproduce it there. Alas, IOExc during unjarring.
many thanks for the patch. A variation has been applied to SVN and will be included in 5.5.21 onwards.