ASF Bugzilla – Full Text Bug Listing
|Summary:||XML and HTMLLayout do not always escape special characters|
|Product:||Log4j - Now in Jira||Reporter:||Curt Arnold <carnold>|
TestCase for org.apache.log4j.helpers.Transform.sanitize4XML()
Description Curt Arnold 2005-05-11 22:36:21 UTC
The XMLLayout does not escape special characters like " and ">" if they appear in the logger name, level or thread name. Most likely they would result in an non-well formed XML, but you could use a specially crafted thread name to change the severity or logger name for the error.
Comment 1 Kay Abendroth 2006-11-10 06:30:32 UTC
I have added a method sanitize4XML to ...helpers.Transform and changed XMLLayout accordingly. TestCase and the two new files will be attached to this bug. A patch-file will be attached later.
Comment 2 Kay Abendroth 2006-11-10 06:32:06 UTC
Created attachment 19109 [details] Patched Transform.java
Comment 3 Kay Abendroth 2006-11-10 06:32:46 UTC
Created attachment 19110 [details] Patched XMLLayout.java
Comment 4 Kay Abendroth 2006-11-10 06:34:15 UTC
Created attachment 19112 [details] TestCase for org.apache.log4j.helpers.Transform.sanitize4XML()
Comment 5 Elias Ross 2007-01-28 03:20:27 UTC
Thread name seems like it would be a problem sometimes. escapeTags should probably be patched, rather than create a new method. A & character in HTML is still not valid, for instance. Otherwise looks good.
Comment 6 Curt Arnold 2007-01-28 21:05:51 UTC
I agree this needs to be addressed, but I don't particular like the patch as it does not address other XMLLayout related issues like the presence of ]]> within message text which will result in a early termination of the CDATA section.
Comment 7 Curt Arnold 2007-08-09 15:58:03 UTC
XSLTLayout added in issue 43077 should not have the same issue on special characters.
Comment 8 Curt Arnold 2007-08-10 15:09:56 UTC
Problem also affects HTMLLayout. Committed tests and fixes (similar but not identical to submissions) in rev 564779 (on log4j 1.2 branch). CDATA end sequence did appear to be properly escaped when it appeared in message text.