(tomcat) branch 10.1.x updated: Improve escaping of XML in the manager servlet

Thu, 21 May 2026 23:43:16 -0700 

This is an automated email from the ASF dual-hosted git repository.

rmaucher pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 51090eeb92 Improve escaping of XML in the manager servlet
51090eeb92 is described below

commit 51090eeb925f7043c8552a5195538f1e62cda893
Author: remm <[email protected]>
AuthorDate: Fri May 22 08:40:55 2026 +0200

    Improve escaping of XML in the manager servlet
---
 java/org/apache/catalina/manager/StatusTransformer.java | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/java/org/apache/catalina/manager/StatusTransformer.java 
b/java/org/apache/catalina/manager/StatusTransformer.java
index 13072b6453..29178577c3 100644
--- a/java/org/apache/catalina/manager/StatusTransformer.java
+++ b/java/org/apache/catalina/manager/StatusTransformer.java
@@ -656,24 +656,24 @@ public class StatusTransformer {
                 }
                 writer.write("\"");
                 writer.write(" remoteAddr=\"" +
-                        
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "remoteAddr")) + 
"\"");
+                        
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "remoteAddr"))) + 
"\"");
                 writer.write(" virtualHost=\"" +
-                        
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "virtualHost")) + 
"\"");
+                        
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "virtualHost"))) + 
"\"");
 
                 if (showRequest) {
                     writer.write(
-                            " method=\"" + 
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "method")) + "\"");
+                            " method=\"" + 
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "method"))) + "\"");
                     writer.write(" currentUri=\"" +
-                            
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "currentUri")) + 
"\"");
+                            
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "currentUri"))) + 
"\"");
 
                     String queryString = (String) 
mBeanServer.getAttribute(pName, "currentQueryString");
                     if (queryString != null && !queryString.isEmpty()) {
-                        writer.write(" currentQueryString=\"" + 
Escape.htmlElementContent(queryString) + "\"");
+                        writer.write(" currentQueryString=\"" + 
Escape.xml(queryString) + "\"");
                     } else {
                         writer.write(" currentQueryString=\"&#63;\"");
                     }
                     writer.write(" protocol=\"" +
-                            
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "protocol")) + "\"");
+                            
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "protocol"))) + "\"");
                 } else {
                     writer.write(" method=\"&#63;\"");
                     writer.write(" currentUri=\"&#63;\"");


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to