DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=40901>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40901 Summary: listings page does not escape XML characters Product: Tomcat 5 Version: 5.5.17 Platform: Other OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Unknown AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] On Solaris you can have a file or directory name called "<b>xxx" or "<i>yyy". Using Tomcat's listings feature, you get a directory listing with the file name in bold or italics. I am not familiar with Javascript or cross-site scripting security problems, but I believe Tomcat escapes XML characters like ">" and "<" to prevent client browsers to interpret HTML codes that are not intended to be interpreted as such for the default error page. I think the same should be done for listings, or a warning should be added to the documentation not to use it if you have no control over the file/directory names you list. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
