вс, 3 нояб. 2024 г. в 03:46, Frankowski, Adam <adam.frankow...@nrc-cnrc.gc.ca>: > > Hi, > > > > We have noticed an issue that occurred when we attempted to upgrade to Apache > Tomcat 9.0.96. We found that the <c:out> standard taglib did not properly > escape XML strings anymore. This can lead to cross-site scripting (XSS) > attacks if user input is not properly escaped.
There have been numerous reports about regression with lifecycle of tags in Tomcat 9.0.96, all boiling down to https://bz.apache.org/bugzilla/show_bug.cgi?id=69399 Bug 69399 - Tag.release() called between reuses It is the first time I see a report about issues with <c:out>. This has not been treated as a security issue yet. There is a workaround, see "Comment 1" in the bug report: <quote> As a workaround, one may set enablePooling to false as described in https://tomcat.apache.org/tomcat-9.0-doc/jasper-howto.html#Configuration. </quote> Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
