Bug 34875 - XML and HTMLLayout do not always escape special characters
Summary: XML and HTMLLayout do not always escape special characters
Alias: None
Product: Log4j - Now in Jira
Classification: Unclassified
Component: Layout (show other bugs)
Version: 1.3alpha
Hardware: Other other
: P2 normal
Target Milestone: ---
Assignee: log4j-dev
Keywords: PatchAvailable
Depends on:
Reported: 2005-05-11 22:36 UTC by Curt Arnold
Modified: 2007-08-10 15:09 UTC (History)
1 user (show)

Patched Transform.java (4.29 KB, text/plain)
2006-11-10 06:32 UTC, Kay Abendroth
Patched XMLLayout.java (6.84 KB, text/plain)
2006-11-10 06:32 UTC, Kay Abendroth
TestCase for org.apache.log4j.helpers.Transform.sanitize4XML() (842 bytes, text/plain)
2006-11-10 06:34 UTC, Kay Abendroth

Note You need to log in before you can comment on or make changes to this bug.
Description Curt Arnold 2005-05-11 22:36:21 UTC
The XMLLayout does not escape special characters like " and ">" if they appear in the logger name, level or 
thread name.  Most likely they would result in an non-well formed XML, but you could use a specially 
crafted thread name to change the severity or logger name for the error.
Comment 1 Kay Abendroth 2006-11-10 06:30:32 UTC
I have added a method sanitize4XML to ...helpers.Transform and changed XMLLayout
accordingly. TestCase and the two new files will be attached to this bug. A
patch-file will be attached later.
Comment 2 Kay Abendroth 2006-11-10 06:32:06 UTC
Created attachment 19109 [details]
Patched Transform.java
Comment 3 Kay Abendroth 2006-11-10 06:32:46 UTC
Created attachment 19110 [details]
Patched XMLLayout.java
Comment 4 Kay Abendroth 2006-11-10 06:34:15 UTC
Created attachment 19112 [details]
TestCase for org.apache.log4j.helpers.Transform.sanitize4XML()
Comment 5 Elias Ross 2007-01-28 03:20:27 UTC
Thread name seems like it would be a problem sometimes.

escapeTags should probably be patched, rather than create a new method.  A &
character in HTML is still not valid, for instance.

Otherwise looks good.
Comment 6 Curt Arnold 2007-01-28 21:05:51 UTC
I agree this needs to be addressed, but I don't particular like the patch as it does not address other 
XMLLayout related issues like the presence of ]]> within message text which will result in a early 
termination of the CDATA section.
Comment 7 Curt Arnold 2007-08-09 15:58:03 UTC
XSLTLayout added in issue 43077 should not have the same issue on special characters.
Comment 8 Curt Arnold 2007-08-10 15:09:56 UTC
Problem also affects HTMLLayout.   Committed tests and fixes (similar but not identical to submissions) in 
rev 564779 (on log4j 1.2 branch).

CDATA end sequence did appear to be properly escaped when it appeared in message text.