This is an automated email from the ASF dual-hosted git repository. michaelo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/velocity-tools.git
The following commit(s) were added to refs/heads/master by this push: new e141828 Fixed Reflected XSS Vuln e141828 is described below commit e141828a4eb03e4b0224535eed12b5c463a24152 Author: Jackson Henry <54763344+jh...@users.noreply.github.com> AuthorDate: Thu Oct 8 14:18:25 2020 +1100 Fixed Reflected XSS Vuln Velocity Tools has an automatically generated error page, which echoes back the file name unescaped. This commit sanitizes user input and fixes the XSS Vulnerability! Updated XSS Vuln fix (used StringEscapeUtils) --- .../main/java/org/apache/velocity/tools/view/VelocityViewServlet.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java b/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java index aff9b71..325ab0b 100644 --- a/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java +++ b/velocity-tools-view/src/main/java/org/apache/velocity/tools/view/VelocityViewServlet.java @@ -460,7 +460,7 @@ public class VelocityViewServlet extends HttpServlet html.append("<head><title>Error</title></head>\n"); html.append("<body>\n"); html.append("<h2>VelocityView : Error processing a template for path '"); - html.append(path); + html.append(StringEscapeUtils.escapeHtml4(path)); html.append("'</h2>\n"); Throwable cause = e;