Return-Path: 
 <dev-return-76062-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 35949 invoked from network); 6 Nov 2006 04:38:53 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 6 Nov 2006 04:38:53 -0000
Received: (qmail 28101 invoked by uid 500); 6 Nov 2006 04:39:00 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 28047 invoked by uid 500); 6 Nov 2006 04:38:59 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 28035 invoked by uid 500); 6 Nov 2006 04:38:59 -0000
Delivered-To: apmail-jakarta-tomcat-dev@jakarta.apache.org
Received: (qmail 28032 invoked by uid 99); 6 Nov 2006 04:38:59 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 05 Nov 2006 20:38:59 -0800
X-ASF-Spam-Status: No, hits=-9.4 required=10.0
	tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 05 Nov 2006 20:38:47 -0800
Received: by brutus.apache.org (Postfix, from userid 33)
	id C73737142E4; Sun,  5 Nov 2006 20:38:27 -0800 (PST)
From: bugzilla@apache.org
To: tomcat-dev@jakarta.apache.org
Subject: DO NOT REPLY [Bug 40901]  New:  - listings page does not escape XML
 characters
Message-ID: <bug-40901-78@http.issues.apache.org/bugzilla/>
X-Bugzilla-Reason: AssignedTo
Date: Sun,  5 Nov 2006 20:38:27 -0800 (PST)
X-Virus-Checked: Checked by ClamAV on apache.org

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40901>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40901

           Summary: listings page does not escape XML characters
           Product: Tomcat 5
           Version: 5.5.17
          Platform: Other
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: dies@jp.fujitsu.com


On Solaris you can have a file or directory name called "<b>xxx" or "<i>yyy".
Using Tomcat's listings feature, you get a directory listing with the file name
in bold or italics.

I am not familiar with Javascript or cross-site scripting security problems, but
I believe Tomcat escapes XML characters like ">" and "<" to prevent client
browsers to interpret HTML codes that are not intended to be interpreted as such
for the default error page.
I think the same should be done for listings, or a warning should be added to
the documentation not to use it if you have no control over the file/directory
names you list.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org