geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Colasurdo <>
Subject Re: geronimo 1.0 - CSS vulnerabilities - response from Tomcat team
Date Wed, 18 Jan 2006 20:34:17 GMT

Snippets from another offline conversation with the Tomact folks..

 >> Has Tomcat (the container) considered checking input URIs for scripting
 >> tags and rendering them innocuous by substitution (e.g. <script> -->
 >> &lt;script&gt;) therefore never writing back scripting tags to the
 >> browser?  Are there drawbacks to this approach?

I think it's been considered in the past, though I'm not certain what
the conclusions were.  It wouldn't be that hard to do with a Valve for
the server as a whole, or with a Filter (which would also be
server-independent and thus more portable) for a specific webapp.

 >> Do you forsee any difficulty with using a jsp-examples snapshot from
 >> 5.5.16 with the Tomcat 5.5.15 runtime?

No, that should be fine.

 >>  Better yet, any chance of
 >> getting the TC 5.5.15 jsp-examples war with the security vulnerability
 >> fixed?

No, we don't want to re-package and re-tag for this issue.

View raw message