cnsgithub commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441527197 > 1. all right, it would be just cool if we would have some more tests which also covers other #write methods or even writeAttribute - but not required Provided another test for `writeAttribute`. > 2. Oh, really sorry - thats my fault because of a too fast review. I thought that you would wrap a simple char with a string now. > I would just do: > > ` @Override public void write(String str, int off, int len) throws IOException { super.write(new String(xmlEncode(str.toCharArray())), off, len); }` Done. > I just wonder if we should replace the invalid char by a blank instead of empty? Not sure... Also considered this. However, it would complicate things since array lengths might change then. When looking at OWASP's encoder you'll find they're also replacing illegal characters by spaces.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
