https://issues.apache.org/bugzilla/show_bug.cgi?id=43497
Mark Thomas <ma...@apache.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX --- Comment #5 from Mark Thomas <ma...@apache.org> 2011-03-03 07:14:32 EST --- It is not as simple as this patch suggests. The necessary escaping to prevent XSS varies by context [1]. The necessary context information is not available to Tomcat so Tomcat is unable to ensure that the correct escaping is applied. There are several possible approaches to solve this issue but none of them can be currently applied to Tomcat: 1. Provide methods to do this in the framework being used and expect/require developers to set the context appropriately. 2. Use a framework that is sufficiently strict that the context is always known and the necessary escaping can be applied automatically. 3. Modify the EL spec to allow the context to be supplied. At this point the escaping may as well be automatically applied as well. Option 3 could be implemented in Tomcat if the EL spec was changed. That would be Tomcat 8 at the earliest. [1] http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org