Bug 34875

Summary: XML and HTMLLayout do not always escape special characters
Product: Log4j - Now in Jira Reporter: Curt Arnold <carnold>
Component: LayoutAssignee: log4j-dev <log4j-dev>
Severity: normal CC: kay.abendroth
Priority: P2 Keywords: PatchAvailable
Version: 1.3alpha   
Target Milestone: ---   
Hardware: Other   
OS: other   
Attachments: Patched Transform.java
Patched XMLLayout.java
TestCase for org.apache.log4j.helpers.Transform.sanitize4XML()

Description Curt Arnold 2005-05-11 22:36:21 UTC
The XMLLayout does not escape special characters like " and ">" if they appear in the logger name, level or 
thread name.  Most likely they would result in an non-well formed XML, but you could use a specially 
crafted thread name to change the severity or logger name for the error.
Comment 1 Kay Abendroth 2006-11-10 06:30:32 UTC
I have added a method sanitize4XML to ...helpers.Transform and changed XMLLayout
accordingly. TestCase and the two new files will be attached to this bug. A
patch-file will be attached later.
Comment 2 Kay Abendroth 2006-11-10 06:32:06 UTC
Created attachment 19109 [details]
Patched Transform.java
Comment 3 Kay Abendroth 2006-11-10 06:32:46 UTC
Created attachment 19110 [details]
Patched XMLLayout.java
Comment 4 Kay Abendroth 2006-11-10 06:34:15 UTC
Created attachment 19112 [details]
TestCase for org.apache.log4j.helpers.Transform.sanitize4XML()
Comment 5 Elias Ross 2007-01-28 03:20:27 UTC
Thread name seems like it would be a problem sometimes.

escapeTags should probably be patched, rather than create a new method.  A &
character in HTML is still not valid, for instance.

Otherwise looks good.
Comment 6 Curt Arnold 2007-01-28 21:05:51 UTC
I agree this needs to be addressed, but I don't particular like the patch as it does not address other 
XMLLayout related issues like the presence of ]]> within message text which will result in a early 
termination of the CDATA section.
Comment 7 Curt Arnold 2007-08-09 15:58:03 UTC
XSLTLayout added in issue 43077 should not have the same issue on special characters.
Comment 8 Curt Arnold 2007-08-10 15:09:56 UTC
Problem also affects HTMLLayout.   Committed tests and fixes (similar but not identical to submissions) in 
rev 564779 (on log4j 1.2 branch).

CDATA end sequence did appear to be properly escaped when it appeared in message text.