On 02/03/18 17:05, Mark Thomas wrote: > On 02/03/18 15:33, Konstantin Kolinko wrote: >> 2018-03-02 14:51 GMT+03:00 <ma...@apache.org>: >>> Author: markt >>> Date: Fri Mar 2 11:51:19 2018 >>> New Revision: 1825713 >>> >>> URL: http://svn.apache.org/viewvc?rev=1825713&view=rev >>> Log: >>> Work-around a known, non-specification compliant behaviour in some versions >>> of IE that can allow XSS when using the JMX proxy feature of the Manager >>> application. >>> Based on a suggestion from Muthukumar Marikani. >> >> It may be worth to add the same to ManagerServlet, HostManagerServlet >> that use text/plain as well. > > I'm not sure. I'll take a closer look but the first one I looked at was > HTML escaped because it is used by both Manager and HTMLManager.
It didn't take me long to find a route to an unescaped value. I'll expand this work-around to cover all the Manger and Host Manager servlets that return text/plain. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
