So assuming this appears to be somewhat "examples" related, is this truly a container problem, or just the jsp examples implementation?
Jeff Kevan Miller wrote: > Presumably in response to Dave's email to Tomcat, the following changes > were made to Tomcat samples, yesterday afternoon: > > From: [EMAIL PROTECTED] > Subject: svn commit: r369933 - in > /tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples: cal/cal2.jsp > security/protected/index.jsp > Date: January 17, 2006 4:52:05 PM EST > To: [email protected] > Reply-To: [email protected] > > Author: markt > Date: Tue Jan 17 13:52:02 2006 > New Revision: 369933 > > URL: http://svn.apache.org/viewcvs?rev=369933&view=rev > Log: > Fix XSS issues in examples. > > Modified: > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp > > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp > > > Modified: > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp > URL: > http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp?rev=369933&r1=369932&r2=369933&view=diff > > ============================================================================== > > --- > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp > (original) > +++ > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/cal/cal2.jsp > Tue Jan 17 13:52:02 2006 > @@ -29,12 +29,12 @@ > > <FONT SIZE=5> Please add the following event: > <BR> <h3> Date <%= table.getDate() %> > -<BR> Time <%= time %> </h3> > +<BR> Time <%= util.HTMLFilter.filter(time) %> </h3> > </FONT> > <FORM METHOD=POST ACTION=cal1.jsp> > <BR> > <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current"> > -<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %> > +<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= > util.HTMLFilter.filter(time) %> > <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT > SIZE=20> </h2> > <BR> <INPUT TYPE=SUBMIT VALUE="submit"> > </FORM> > > Modified: > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp > > URL: > http://svn.apache.org/viewcvs/tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp?rev=369933&r1=369932&r2=369933&view=diff > > ============================================================================== > > --- > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp > (original) > +++ > tomcat/servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/index.jsp > Tue Jan 17 13:52:02 2006 > @@ -49,11 +49,13 @@ > if (role.length() > 0) { > if (request.isUserInRole(role)) { > %> > - You have been granted role <b><%= role %></b><br><br> > + You have been granted role > + <b><%= util.HTMLFilter.filter(role) %></b><br><br> > <% > } else { > %> > - You have <i>not</i> been granted role <b><%= role %></b><br><br> > + You have <i>not</i> been granted role > + <b><%= util.HTMLFilter.filter(role) %></b><br><br> > <% > } > } > @@ -62,7 +64,7 @@ > To check whether your username has been granted a particular role, > enter it here: > <form method="GET" action='<%= response.encodeURL("index.jsp") %>'> > -<input type="text" name="role" value="<%= role %>"> > +<input type="text" name="role" value="<%= util.HTMLFilter.filter(role) > %>"> > </form> > <br><br> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > From: [EMAIL PROTECTED] > Subject: svn commit: r369934 - > /tomcat/container/tc5.5.x/webapps/docs/changelog.xml > Date: January 17, 2006 4:53:04 PM EST > To: [email protected] > Reply-To: [email protected] > > Author: markt > Date: Tue Jan 17 13:53:01 2006 > New Revision: 369934 > > URL: http://svn.apache.org/viewcvs?rev=369934&view=rev > Log: > Update changelog. > > Modified: > tomcat/container/tc5.5.x/webapps/docs/changelog.xml > > Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml > URL: > http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=369934&r1=369933&r2=369934&view=diff > > ============================================================================== > > --- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original) > +++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Tue Jan 17 > 13:53:01 2006 > @@ -76,6 +76,13 @@ > </fix> > </changelog> > </subsection> > + <subsection name="Webapps"> > + <changelog> > + <fix> > + Fix some XSS issues in the JSP examples. (markt) > + </fix> > + </changelog> > + </subsection> > </section> > > <section name="Tomcat 5.5.15 (yoavs)"> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > From: [EMAIL PROTECTED] > Subject: svn commit: r369935 - in > /tomcat/container/branches/tc4.1.x/webapps/examples/jsp: cal/cal2.jsp > security/protected/index.jsp > Date: January 17, 2006 4:53:53 PM EST > To: [email protected] > Reply-To: [email protected] > > Author: markt > Date: Tue Jan 17 13:53:49 2006 > New Revision: 369935 > > URL: http://svn.apache.org/viewcvs?rev=369935&view=rev > Log: > Fix XSS issues in examples. > > Modified: > tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp > > tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp > > > Modified: > tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp > URL: > http://svn.apache.org/viewcvs/tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp?rev=369935&r1=369934&r2=369935&view=diff > > ============================================================================== > > --- tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp > (original) > +++ tomcat/container/branches/tc4.1.x/webapps/examples/jsp/cal/cal2.jsp > Tue Jan 17 13:53:49 2006 > @@ -18,12 +18,12 @@ > > <FONT SIZE=5> Please add the following event: > <BR> <h3> Date <%= table.getDate() %> > -<BR> Time <%= time %> </h3> > +<BR> Time <%= util.HTMLFilter.filter(time) %> </h3> > </FONT> > <FORM METHOD=POST ACTION=cal1.jsp> > <BR> > <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current"> > -<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %> > +<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= > util.HTMLFilter.filter(time) %> > <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT > SIZE=20> </h2> > <BR> <INPUT TYPE=SUBMIT VALUE="submit"> > </FORM> > > Modified: > tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp > > URL: > http://svn.apache.org/viewcvs/tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp?rev=369935&r1=369934&r2=369935&view=diff > > ============================================================================== > > --- > tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp > (original) > +++ > tomcat/container/branches/tc4.1.x/webapps/examples/jsp/security/protected/index.jsp > Tue Jan 17 13:53:49 2006 > @@ -34,11 +34,13 @@ > if (role.length() > 0) { > if (request.isUserInRole(role)) { > %> > - You have been granted role <b><%= role %></b><br><br> > + You have been granted role > + <b><%= util.HTMLFilter.filter(role) %></b><br><br> > <% > } else { > %> > - You have <i>not</i> been granted role <b><%= role %></b><br><br> > + You have <i>not</i> been granted role > + <b><%= util.HTMLFilter.filter(role) %></b><br><br> > <% > } > } > @@ -47,7 +49,7 @@ > To check whether your username has been granted a particular role, > enter it here: > <form method="GET" action='<%= response.encodeURL("index.jsp") %>'> > -<input type="text" name="role" value="<%= role %>"> > +<input type="text" name="role" value="<%= util.HTMLFilter.filter(role) > %>"> > </form> > <br><br> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > >
