DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions

2011-03-03 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 --- Comment #6 from Nacho Coloma 2011-03-03 07:46:15 EST --- I disagree. 99% of the XSS injection cases are described in the mentioned link as RULE #1: escape HTML. Even worse, 99% of these cases could be implemented by simply escaping < or

DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions

2011-03-03 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions

2011-02-27 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 --- Comment #4 from Chin Huang 2011-02-27 13:49:50 EST --- If you don't want to patch Tomcat, here is a custom ELResolver that XML-escapes EL values. You just have to add a servlet context listener to web.xml to configure it in your web ap

DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions

2011-01-14 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 Neil Donewar changed: What|Removed |Added CC||n...@donewar.com -- Configure bugm

DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions

2010-10-20 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 Nacho Coloma changed: What|Removed |Added CC||icol...@gmail.com -- Configure bug

DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions

2010-10-20 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 --- Comment #3 from Nacho Coloma 2010-10-20 10:48:11 EDT --- Any chance this bug receives some attention? Any application on Tomcat is susceptible of XSS attacks, and it should be easy to fix. Keeping the current behavior as default is reas

DO NOT REPLY [Bug 43497] Add ability to escape rendered output of JSP expressions

2008-08-31 Thread bugzilla
https://issues.apache.org/bugzilla/show_bug.cgi?id=43497 Mark Thomas <[EMAIL PROTECTED]> changed: What|Removed |Added CC||[EMAIL PROTECTED]

DO NOT REPLY [Bug 43497] - Add ability to escape rendered output of JSP expressions

2007-09-26 Thread bugzilla
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bu