|Summary:||StandardHostValve.status unnecessarily HTML-escapes the error message|
|Product:||Tomcat 6||Reporter:||Roland Illig <roland.illig>|
|Component:||Catalina||Assignee:||Tomcat Developers Mailing List <dev>|
Description Roland Illig 2009-04-19 01:59:15 UTC
I have written a JSP page that prints all request attributes verbatimly to the output. When I access it as http://localhost:8100/roland/404& it outputs the following HTML code: <body> javax.servlet.error.message=/roland/404&amp;<br> javax.servlet.error.request_uri=/roland/404&<br> ... </body> I was surprised that the error.message has been HTML-escaped, but the error.request hasn't. What's the intention of this escaping? It feels like Catalina is imitating PHP's magic-quotes here, which it shouldn't. In my opinion, the error message should be copied to the request attribute as-is and not being passed through RequestUtil.filter, so the programmer can write it to log files or a text/plain error page without unfiltering it first.
Comment 1 Mark Thomas 2009-05-01 08:35:29 UTC
I fixed this for trunk as I can't see any negative security (XSS) impact. I'll leave it a little while before proposing for backport in case others see something I missed.
Comment 2 Mark Thomas 2009-06-03 10:23:16 UTC
This has been fixed in 6.0.x and will be included in 6.0.21 onwards.