| Summary: | StandardHostValve.status unnecessarily HTML-escapes the error message | ||
|---|---|---|---|
| Product: | Tomcat 6 | Reporter: | Roland Illig <roland.illig> |
| Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | Keywords: | ErrorMessage |
| Priority: | P2 | ||
| Version: | 6.0.18 | ||
| Target Milestone: | default | ||
| Hardware: | All | ||
| OS: | All | ||
I fixed this for trunk as I can't see any negative security (XSS) impact. I'll leave it a little while before proposing for backport in case others see something I missed. This has been fixed in 6.0.x and will be included in 6.0.21 onwards. |
I have written a JSP page that prints all request attributes verbatimly to the output. When I access it as http://localhost:8100/roland/404& it outputs the following HTML code: <body> javax.servlet.error.message=/roland/404&amp;<br> javax.servlet.error.request_uri=/roland/404&<br> ... </body> I was surprised that the error.message has been HTML-escaped, but the error.request hasn't. What's the intention of this escaping? It feels like Catalina is imitating PHP's magic-quotes here, which it shouldn't. In my opinion, the error message should be copied to the request attribute as-is and not being passed through RequestUtil.filter, so the programmer can write it to log files or a text/plain error page without unfiltering it first.