Bug 31058

Summary: currentQueryString not escaped in status XML
Product: Tomcat 5 Reporter: Mark Smithson <mark>
Component: Webapps:ManagerAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P3    
Version: 5.0.27   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Very simple fix in the StatusTransformer calls in the manager webapp

Description Mark Smithson 2004-09-04 14:36:44 UTC 
If tomcat is servicing a request with a query string such 
as "id=6218&mode=view", the output of /manager/status?XML=true is not valid xml.

It appears that the & in the query string is not being escaped into &amp;.
Comment 1 Chris Perfect 2004-09-05 08:21:05 UTC 
Created attachment 12648 [details]
Very simple fix in the StatusTransformer calls in the manager webapp
Comment 2 Mark Smithson 2004-09-05 14:27:33 UTC 
Wouldn't it be better to escape all xml characters here?

For example what about '>' and '<'? I am not intimate with the source, but is 
there an xmlEncode function available somewhere that could be used?
Comment 3 Chris Perfect 2004-09-06 10:28:10 UTC 
I would hope so but I'm not that familiar with the code either :)
Comment 4 Yoav Shapira 2004-09-20 16:41:50 UTC 
OK, fixed for both 5.0.29 and 5.5.3.  Used 
org.apache.catalina.util.RequestUtil#filter, which does XML-escaping properly I 
think.