On 02/03/18 17:05, Mark Thomas wrote:
> On 02/03/18 15:33, Konstantin Kolinko wrote:
>> 2018-03-02 14:51 GMT+03:00  <ma...@apache.org>:
>>> Author: markt
>>> Date: Fri Mar  2 11:51:19 2018
>>> New Revision: 1825713
>>> URL: http://svn.apache.org/viewvc?rev=1825713&view=rev
>>> Log:
>>> Work-around a known, non-specification compliant behaviour in some versions 
>>> of IE that can allow XSS when using the JMX proxy feature of the Manager 
>>> application.
>>> Based on a suggestion from Muthukumar Marikani.
>> It may be worth to add the same to ManagerServlet, HostManagerServlet
>> that use text/plain as well.
> I'm not sure. I'll take a closer look but the first one I looked at was
> HTML escaped because it is used by both Manager and HTMLManager.

It didn't take me long to find a route to an unescaped value. I'll
expand this work-around to cover all the Manger and Host Manager
servlets that return text/plain.


To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to