Bug 45652 - XSS patch for EL
Summary: XSS patch for EL
Status: RESOLVED DUPLICATE of bug 43497
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Jasper (show other bugs)
Version: unspecified
Hardware: All All
: P2 major (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2008-08-19 08:15 UTC by Rafael Serrano
Modified: 2008-08-31 10:34 UTC (History)
1 user (show)

Test JSP (394 bytes, application/octet-stream)
2008-08-19 08:15 UTC, Rafael Serrano
Patch (1007 bytes, patch)
2008-08-19 08:19 UTC, Rafael Serrano
Details | Diff
Reworked patch (2.58 KB, patch)
2008-08-22 05:50 UTC, Rafael Serrano
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rafael Serrano 2008-08-19 08:15:41 UTC
Created attachment 22455 [details]
Test JSP

Hi everyone,

There is an old post from Matt Raible regarding an XSS vulnerability present in all tomcat installations by default:

The JSP I have attached shows a quick-and-dirty test to inject arbitrary HTML into your page using EL expressions like ${foobar}. I know that "<c:out>" can be used as a workaround, but it is quite verbose and easy to miss.

As part of my job as a developer of Loom (http://www.loom.extrema-sistemas.com/) I have prepared a patch for Generator.java so XML content obtained from EL expressions can be configured to be escaped defaulting to false (to keep current behavior, but maybe true would be the safe bet here).

Comment 1 Rafael Serrano 2008-08-19 08:19:06 UTC
Created attachment 22456 [details]

Here is the patch for the trunk.

To start escaping XML content just add "-Dgenerator.escapeXml=true" to your VM arguments.
Comment 2 Mark Thomas 2008-08-20 16:41:04 UTC
I don't see a need for this to be a system property. It should be another parameter on the JSP Servlet like trimSpaces. Could you re-work the patch?
Comment 3 Rafael Serrano 2008-08-22 05:50:40 UTC
Created attachment 22472 [details]
Reworked patch

Hi Mark,

I think you are right about the way this should be configured, so here is the new patch. The JspServlet parameter to en/disable XML escaping is named escapeXml.

BTW, I have changed the current behavior, so ${foo} escapes XML by default.

Comment 4 Mark Thomas 2008-08-22 06:03:18 UTC
Thanks for this. There are some other EL issues I want to get fixed first and then I'll look at integrating this patch. I'll change the default though to the current, spec compliant, behaviour.
Comment 5 Remy Maucherat 2008-08-22 07:43:09 UTC
The default value should probably be (! strict_spec_complaince), and the name of the parameter should be fixed so that it refers to EL. escapeElOutput ?
Comment 6 Matt Raible 2008-08-25 23:27:16 UTC
This seems similar to the enhancement request I added last September:

Comment 7 Mark Thomas 2008-08-31 10:34:16 UTC

*** This bug has been marked as a duplicate of bug 43497 ***