https://issues.apache.org/bugzilla/show_bug.cgi?id=43497
Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #5 from Mark Thomas <ma...@apache.org> 2011-03-03 07:14:32 EST ---
It is not as simple as this patch suggests.

The necessary escaping to prevent XSS varies by context [1]. The necessary
context information is not available to Tomcat so Tomcat is unable to ensure
that the correct escaping is applied.

There are several possible approaches to solve this issue but none of them can
be currently applied to Tomcat:
1. Provide methods to do this in the framework being used and expect/require
developers to set the context appropriately.
2. Use a framework that is sufficiently strict that the context is always known
and the necessary escaping can be applied automatically.
3. Modify the EL spec to allow the context to be supplied. At this point the
escaping may as well be automatically applied as well.

Option 3 could be implemented in Tomcat if the EL spec was changed. That would
be Tomcat 8 at the earliest.

[1]
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to