This is an automated email from the ASF dual-hosted git repository.
michaelo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/velocity-tools.git
The following commit(s) were added to refs/heads/master by this push:
new e141828 Fixed Reflected XSS Vuln
e141828 is described below
commit e141828a4eb03e4b0224535eed12b5c463a24152
Author: Jackson Henry <54763344+jh...@users.noreply.github.com>
AuthorDate: Thu Oct 8 14:18:25 2020 +1100
Fixed Reflected XSS Vuln
Velocity Tools has an automatically generated error page, which echoes back
the file name unescaped. This commit sanitizes user input and fixes the XSS
Vulnerability!
Updated XSS Vuln fix (used StringEscapeUtils)
---
.../main/java/org/apache/velocity/tools/view/VelocityViewServlet.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
b/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
index aff9b71..325ab0b 100644
---
a/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
+++
b/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java
@@ -460,7 +460,7 @@ public class VelocityViewServlet extends HttpServlet
html.append("<head><title>Error</title></head>\n");
html.append("<body>\n");
html.append("<h2>VelocityView : Error processing a template for
path '");
- html.append(path);
+ html.append(StringEscapeUtils.escapeHtml4(path));
html.append("'</h2>\n");
Throwable cause = e;
