svn commit: r750927 - in /tomcat/container/branches/tc4.1.x: RELEASE-NOTES-4.1.txt webapps/examples/jsp/cal/cal2.jsp

Fri, 06 Mar 2009 06:56:10 -0800 

Author: markt
Date: Fri Mar  6 14:55:45 2009
New Revision: 750927

URL: http://svn.apache.org/viewvc?rev=750927&view=rev
Log:
Fix XSS in examples web application.
This is CVE-2009-0781.
Security page updates and formal announcement to follow.

Modified:
    tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
    tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp

Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=750927&r1=750926&r2=750927&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Fri Mar  6 14:55:45 
2009
@@ -305,6 +305,9 @@
 [4.1.37] Configuration files
          Add support for system property replacement in configuration files
 
+[4.1.40] CVE-2009-0781
+         Fix XSS in calendar example
+
 
 -------------------
 Jasper New Features:

Modified: tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp?rev=750927&r1=750926&r2=750927&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp 
(original)
+++ tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp Fri Mar 
 6 14:55:45 2009
@@ -35,7 +35,7 @@
 <FORM METHOD=POST ACTION=cal1.jsp>
 <BR> 
 <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter(time) %>
+<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE="<%= util.HTMLFilter.filter(time) 
%>">
 <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT 
SIZE=20> </h2>
 <BR> <INPUT TYPE=SUBMIT VALUE="submit">
 </FORM>



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to