Thank you for your quick reply. I'm sorry. My explanation was insufficient.
I usually access login page as /login. But I'm concerned about the cross-site scripting vulnerability of 'execution' param. Because, when I put a Http GET parameter such as "?execution=<script>" into the CAS login page, the results displayed on the web browser are included in the following message. ======================================================== BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key '<script>', ======================================================== "<" and ">" in the above message are not escaped. Therefore, I guess there is a possibility of cross-site scripting vulnerability. Could you please confirm? Thank you. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
