geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <kevan.mil...@gmail.com>
Subject Re: geronimo 1.0 - CSS vulnerabilities - response from Tomcat team
Date Wed, 18 Jan 2006 15:01:21 GMT
Presumably in response to Dave's email to Tomcat, the following  
changes were made to Tomcat samples, yesterday afternoon:

	From: 	  markt@apache.org
	Subject: 	svn commit: r369933 - in /tomcat/servletapi/servlet2.4- 
jsp2.0-tc5.x/jsr152/examples: cal/cal2.jsp security/protected/index.jsp
	Date: 	January 17, 2006 4:52:05 PM EST
	To: 	  tomcat-dev@jakarta.apache.org
	Reply-To: 	  dev@tomcat.apache.org

Author: markt
Date: Tue Jan 17 13:52:02 2006
New Revision: 369933

URL: http://svn.apache.org/viewcvs?rev=369933&view=rev
Log:
Fix XSS issues in examples.

Modified:
     tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/ 
cal2.jsp
     tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/ 
security/protected/index.jsp

Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/ 
cal/cal2.jsp
URL: http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4- 
jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp? 
rev=369933&r1=369932&r2=369933&view=diff
======================================================================== 
======
--- tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/ 
cal2.jsp (original)
+++ tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/ 
cal2.jsp Tue Jan 17 13:52:02 2006
@@ -29,12 +29,12 @@

  <FONT SIZE=5> Please add the following event:
  <BR> <h3> Date <%= table.getDate() %>
-<BR> Time <%= time %> </h3>
+<BR> Time <%= util.HTMLFilter.filter(time) %> </h3>
  </FONT>
  <FORM METHOD=POST ACTION=cal1.jsp>
  <BR>
  <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %>
+<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter 
(time) %>
  <BR> <h2> Description of the event <INPUT NAME="description"  
TYPE=TEXT SIZE=20> </h2>
  <BR> <INPUT TYPE=SUBMIT VALUE="submit">
  </FORM>

Modified: tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/ 
security/protected/index.jsp
URL: http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4- 
jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp? 
rev=369933&r1=369932&r2=369933&view=diff
======================================================================== 
======
--- tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/ 
security/protected/index.jsp (original)
+++ tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/ 
security/protected/index.jsp Tue Jan 17 13:52:02 2006
@@ -49,11 +49,13 @@
    if (role.length() > 0) {
      if (request.isUserInRole(role)) {
  %>
-      You have been granted role <b><%= role %></b><br><br>
+      You have been granted role
+      <b><%= util.HTMLFilter.filter(role) %></b><br><br>
  <%
      } else {
  %>
-      You have <i>not</i> been granted role <b><%= role %></b><br><br>
+      You have <i>not</i> been granted role
+      <b><%= util.HTMLFilter.filter(role) %></b><br><br>
  <%
      }
    }
@@ -62,7 +64,7 @@
  To check whether your username has been granted a particular role,
  enter it here:
  <form method="GET" action='<%= response.encodeURL("index.jsp") %>'>
-<input type="text" name="role" value="<%= role %>">
+<input type="text" name="role" value="<%= util.HTMLFilter.filter 
(role) %>">
  </form>
  <br><br>




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

	From: 	  markt@apache.org
	Subject: 	svn commit: r369934 - /tomcat/container/tc5.5.x/webapps/ 
docs/changelog.xml
	Date: 	January 17, 2006 4:53:04 PM EST
	To: 	  tomcat-dev@jakarta.apache.org
	Reply-To: 	  dev@tomcat.apache.org

Author: markt
Date: Tue Jan 17 13:53:01 2006
New Revision: 369934

URL: http://svn.apache.org/viewcvs?rev=369934&view=rev
Log:
Update changelog.

Modified:
     tomcat/container/tc5.5.x/webapps/docs/changelog.xml

Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/webapps/ 
docs/changelog.xml?rev=369934&r1=369933&r2=369934&view=diff
======================================================================== 
======
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Tue Jan 17  
13:53:01 2006
@@ -76,6 +76,13 @@
        </fix>
      </changelog>
    </subsection>
+  <subsection name="Webapps">
+    <changelog>
+      <fix>
+        Fix some XSS issues in the JSP examples. (markt)
+      </fix>
+    </changelog>
+  </subsection>
  </section>

  <section name="Tomcat 5.5.15 (yoavs)">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

	From: 	  markt@apache.org
	Subject: 	svn commit: r369935 - in /tomcat/container/branches/ 
tc4.1.x/webapps/examples/jsp: cal/cal2.jsp security/protected/index.jsp
	Date: 	January 17, 2006 4:53:53 PM EST
	To: 	  tomcat-dev@jakarta.apache.org
	Reply-To: 	  dev@tomcat.apache.org

Author: markt
Date: Tue Jan 17 13:53:49 2006
New Revision: 369935

URL: http://svn.apache.org/viewcvs?rev=369935&view=rev
Log:
Fix XSS issues in examples.

Modified:
     tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp
     tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/ 
protected/index.jsp

Modified: tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/ 
cal2.jsp
URL: http://svn.apache.org/viewcvs/tomcat/container/branches/tc4.1.x/ 
webapps/examples/jsp/cal/cal2.jsp? 
rev=369935&r1=369934&r2=369935&view=diff
======================================================================== 
======
--- tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/ 
cal2.jsp (original)
+++ tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/ 
cal2.jsp Tue Jan 17 13:53:49 2006
@@ -18,12 +18,12 @@

  <FONT SIZE=5> Please add the following event:
  <BR> <h3> Date <%= table.getDate() %>
-<BR> Time <%= time %> </h3>
+<BR> Time <%= util.HTMLFilter.filter(time) %> </h3>
  </FONT>
  <FORM METHOD=POST ACTION=cal1.jsp>
  <BR>
  <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %>
+<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter 
(time) %>
  <BR> <h2> Description of the event <INPUT NAME="description"  
TYPE=TEXT SIZE=20> </h2>
  <BR> <INPUT TYPE=SUBMIT VALUE="submit">
  </FORM>

Modified: tomcat/container/branches/tc4.1.x/webapps/examples/jsp/ 
security/protected/index.jsp
URL: http://svn.apache.org/viewcvs/tomcat/container/branches/tc4.1.x/ 
webapps/examples/jsp/security/protected/index.jsp? 
rev=369935&r1=369934&r2=369935&view=diff
======================================================================== 
======
--- tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/ 
protected/index.jsp (original)
+++ tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/ 
protected/index.jsp Tue Jan 17 13:53:49 2006
@@ -34,11 +34,13 @@
    if (role.length() > 0) {
      if (request.isUserInRole(role)) {
  %>
-      You have been granted role <b><%= role %></b><br><br>
+      You have been granted role
+      <b><%= util.HTMLFilter.filter(role) %></b><br><br>
  <%
      } else {
  %>
-      You have <i>not</i> been granted role <b><%= role %></b><br><br>
+      You have <i>not</i> been granted role
+      <b><%= util.HTMLFilter.filter(role) %></b><br><br>
  <%
      }
    }
@@ -47,7 +49,7 @@
  To check whether your username has been granted a particular role,
  enter it here:
  <form method="GET" action='<%= response.encodeURL("index.jsp") %>'>
-<input type="text" name="role" value="<%= role %>">
+<input type="text" name="role" value="<%= util.HTMLFilter.filter 
(role) %>">
  </form>
  <br><br>




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org



Mime
View raw message