activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rob Davies (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (AMQ-1534) Unescaped text messages in message detail
Date Wed, 09 Apr 2008 10:29:32 GMT

     [ https://issues.apache.org/activemq/browse/AMQ-1534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Rob Davies resolved AMQ-1534.
-----------------------------

      Assignee: Rob Davies
    Resolution: Duplicate

duplicate of https://issues.apache.org/activemq/browse/AMQ-1013

> Unescaped text messages in message detail
> -----------------------------------------
>
>                 Key: AMQ-1534
>                 URL: https://issues.apache.org/activemq/browse/AMQ-1534
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.0.0
>         Environment: Browser
>            Reporter: Elliotte Rusty Harold
>            Assignee: Rob Davies
>            Priority: Critical
>
> The new HTTP based queue view is very useful. However it has one really annoying bug
that cost me some hours of debugging. Send a TextMessage to the queue containing a typical
HTML or XML document such as 
> <result></result>
> Then look at that message in the web browser and look at the message detail to see the
text of the message. The text appears to be blank, especially if the message only contains
tags and white space as was the case for me. Even if it isn't completely blank, the tags will
be missing.
> The problem is that the text of the message is displayed raw and added to the HTML. This
could even be a vector for XSS attacks since no escaping is performed.
> Before displaying the text it should be escaped. That is, & should be converted to
&amp; and < to &lt;. That should fix the critical problems. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message