DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17102>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17102 Can't embed "<>" characters in paramValue data. Summary: Can't embed "<>" characters in paramValue data. Product: Commons Version: Nightly Builds Platform: All OS/Version: Windows NT/2K Status: NEW Severity: Enhancement Priority: Other Component: Latka AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I'm unable to write tests that check for cross-site scripting vulnerabilities because the <paramValue> tag adds text to the request that is unconditionally XML escaped. Thus, the intended "<>" characters become literal "<" and ">" in the request. I'm not familiar with Latka enough to know if this is by design. If this escaping isn't needed, changing ParamValueTag.java (along with ParamNameTag.java plus RequestBodyTag.java for consistency) to use "getBodyText(false)" would fix this. In case the escaping is needed, I have attached a zip file that includes patches for these files as well as suite.ent that adds an "escape" attribute to these tags. Since the attribute text for the requestHeader tag is not escaped, the patch as is makes not escaping the default as well. This is a change from prior behavior. The internal tests and jakarta-watchdog-4.0/latka-scratch do not appear to be affected by this change. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
