Hi,
We have noticed an issue that occurred when we attempted to upgrade to Apache
Tomcat 9.0.96. We found that the <c:out> standard taglib did not properly
escape XML strings anymore. This can lead to cross-site scripting (XSS)
attacks if user input is not properly escaped.
Has anybody else noticed this issue with 9.0.96? Attached is a simple JSP file
that demonstrates the problem.
Tomcat 9.0.95 produces the following output, which is expected.
<html>
<head>
</head>
<body>
<h1>Escape bug</h1>
<ul>
<li><</li>
<li>></li>
<li>"</li>
<li>'</li>
<li>&</li>
</ul>
</body>
</html>
Tomcat 9.0.96 products the following output, which I think may be incorrect.
It escapes the first output, but not any subsequent outputs.
<html>
<head>
</head>
<body>
<h1>Escape bug</h1>
<ul>
<li><</li>
<li>></li>
<li>"</li>
<li>'</li>
<li>&</li>
</ul>
</body>
</html>
I haven't tracked down the source of the issue yet. I haven't logged a bug in
Bugzilla yet. I thought I would start with a question to the users list to see
if anyone else noticed the same behaviour. If you have, please let me know.
Thank you for any and all replies,
Adam
<%@ page language="java" contentType="text/html" pageEncoding="UTF-8" %>
<%@ taglib uri="/WEB-INF/tld/c.tld" prefix="c" %>
<%
String s1 = "<";
String s2 = ">";
String s3 = "\"";
String s4 = "'";
String s5 = "&";
%>
<html>
<head>
</head>
<body>
<h1>Escape bug</h1>
<ul>
<li><c:out value="<%= s1 %>" /></li>
<li><c:out value="<%= s2 %>" /></li>
<li><c:out value="<%= s3 %>" /></li>
<li><c:out value="<%= s4 %>" /></li>
<li><c:out value="<%= s5 %>" /></li>
</ul>
</body>
</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
