Bug 40901 - listings page does not escape XML characters
Summary: listings page does not escape XML characters
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Unknown (show other bugs)
Version: 5.5.17
Hardware: Other Solaris
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-05 20:38 UTC by Dies Koper
Modified: 2006-11-10 13:17 UTC (History)
0 users



Attachments
Patch to DefaultServlet.java that HTML-encodes filenames for directory indexing (2.23 KB, patch)
2006-11-06 14:04 UTC, Chris Halstead
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dies Koper 2006-11-05 20:38:27 UTC
On Solaris you can have a file or directory name called "<b>xxx" or "<i>yyy".
Using Tomcat's listings feature, you get a directory listing with the file name
in bold or italics.

I am not familiar with Javascript or cross-site scripting security problems, but
I believe Tomcat escapes XML characters like ">" and "<" to prevent client
browsers to interpret HTML codes that are not intended to be interpreted as such
for the default error page.
I think the same should be done for listings, or a warning should be added to
the documentation not to use it if you have no control over the file/directory
names you list.
Comment 1 Chris Halstead 2006-11-06 14:04:19 UTC
Created attachment 19093 [details]
Patch to DefaultServlet.java that HTML-encodes filenames for directory indexing
Comment 2 Chris Halstead 2006-11-06 14:04:33 UTC
Confirmed on Linux as well.  I'm attaching a simple patch that incorporates
basic HTML encoding into o.a.catalina.servlets.DefaultServlet when outputting a
directory index (whether as HTML or XML).  The method in question is basically
the same as used in o.a.catalina.util.DOMWriter and in HTMLFilter.java in the
JSR152/154 examples.
Comment 3 Dies Koper 2006-11-06 16:07:58 UTC
Thanks Chris!

BTW: the file/directory names should be "<b>xxx<b>", "<i>yyy<i>" to get the HTML
code interpreted by the browser. Somehow I lost the end tags in my posting.

I tried jarring them up and unjarring them to Windows to see if I could
reproduce it there. Alas, IOExc during unjarring.
Comment 4 Mark Thomas 2006-11-10 13:17:32 UTC
many thanks for the patch. A variation has been applied to SVN and will be
included in 5.5.21 onwards.