Bug 31058 - currentQueryString not escaped in status XML
currentQueryString not escaped in status XML
Status: RESOLVED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Webapps:Manager
5.0.27
PC Linux
: P3 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2004-09-04 14:36 UTC by Mark Smithson
Modified: 2004-11-16 19:05 UTC (History)
0 users



Attachments
Very simple fix in the StatusTransformer calls in the manager webapp (1.01 KB, patch)
2004-09-05 08:21 UTC, Chris Perfect
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Smithson 2004-09-04 14:36:44 UTC
If tomcat is servicing a request with a query string such 
as "id=6218&mode=view", the output of /manager/status?XML=true is not valid xml.

It appears that the & in the query string is not being escaped into &.
Comment 1 Chris Perfect 2004-09-05 08:21:05 UTC
Created attachment 12648 [details]
Very simple fix in the StatusTransformer calls in the manager webapp
Comment 2 Mark Smithson 2004-09-05 14:27:33 UTC
Wouldn't it be better to escape all xml characters here?

For example what about '>' and '<'? I am not intimate with the source, but is 
there an xmlEncode function available somewhere that could be used?
Comment 3 Chris Perfect 2004-09-06 10:28:10 UTC
I would hope so but I'm not that familiar with the code either :)
Comment 4 Yoav Shapira 2004-09-20 16:41:50 UTC
OK, fixed for both 5.0.29 and 5.5.3.  Used 
org.apache.catalina.util.RequestUtil#filter, which does XML-escaping properly I 
think.