Bug 47050

Summary: StandardHostValve.status unnecessarily HTML-escapes the error message
Product: Tomcat 6 Reporter: Roland Illig <roland.illig>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal Keywords: ErrorMessage
Priority: P2    
Version: 6.0.18   
Target Milestone: default   
Hardware: All   
OS: All   

Description Roland Illig 2009-04-19 01:59:15 UTC
I have written a JSP page that prints all request attributes verbatimly to the output. When I access it as


it outputs the following HTML code:


I was surprised that the error.message has been HTML-escaped, but the error.request hasn't. What's the intention of this escaping? It feels like Catalina is imitating PHP's magic-quotes here, which it shouldn't.

In my opinion, the error message should be copied to the request attribute as-is and not being passed through RequestUtil.filter, so the programmer can write it to log files or a text/plain error page without unfiltering it first.
Comment 1 Mark Thomas 2009-05-01 08:35:29 UTC
I fixed this for trunk as I can't see any negative security (XSS) impact. I'll leave it a little while before proposing for backport in case others see something I missed.
Comment 2 Mark Thomas 2009-06-03 10:23:16 UTC
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.