A number of XSS issues have been reported against the examples. I will attach a patch for jakarta-servletapi-5 that fixes the reported issues (and a few others fo a similar nature).
Created attachment 13896 [details] Patch for XSS issues
Hi... Are you saying when user successfully login to tomcat Web Application Manager, they are able to control the tomcat? Please advice me.. You advice is greatly appreciated. Thanks! (In reply to comment #0) > A number of XSS issues have been reported against the examples. > I will attach a patch for jakarta-servletapi-5 that fixes the reported issues > (and a few others fo a similar nature).
Yes, but that has nothing to do with the XSS issue. The Manager application is for managing Tomcat. Therefore, if someone has access to the manager application they are managing (or controlling if you prefer) Tomcat. XSS issues provide an attacker that controls one (untrusted) web site with a mechanism for executing code on a client as if it was from another (trusted) web site. Try a google for XSS for more info.
Applied the patch: Checking in jsr152/examples/jsp2/el/functions.jsp; /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/functions.jsp,v <-- functions.jsp new revision: 1.5; previous revision: 1.4 done Checking in jsr152/examples/jsp2/el/implicit-objects.jsp; /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp,v <-- implicit-objects.jsp new revision: 1.4; previous revision: 1.3 done More commits to come... Checking in jsr152/examples/jsp2/jspx/textRotate.jspx; /home/cvs/jakarta-servletapi-5/jsr152/examples/jsp2/jspx/textRotate.jspx,v <-- textRotate.jspx new revision: 1.4; previous revision: 1.3 done More commits to come... Checking in jsr152/examples/snp/snoop.jsp; /home/cvs/jakarta-servletapi-5/jsr152/examples/snp/snoop.jsp,v <-- snoop.jsp new revision: 1.3; previous revision: 1.2 done