(tomcat) branch 9.0.x updated: Improve escaping of XML in the manager servlet

remm Thu, 21 May 2026 23:43:24 -0700

This is an automated email from the ASF dual-hosted git repository.

rmaucher pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 4bdea6cf9f Improve escaping of XML in the manager servlet
4bdea6cf9f is described below

commit 4bdea6cf9fbde587f84df95c58989fdd98d5c0dc
Author: remm <[email protected]>
AuthorDate: Fri May 22 08:40:55 2026 +0200

    Improve escaping of XML in the manager servlet
---
 java/org/apache/catalina/manager/StatusTransformer.java | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/java/org/apache/catalina/manager/StatusTransformer.java 
b/java/org/apache/catalina/manager/StatusTransformer.java
index c31511ae5e..60e3d2ddc1 100644
--- a/java/org/apache/catalina/manager/StatusTransformer.java
+++ b/java/org/apache/catalina/manager/StatusTransformer.java
@@ -722,24 +722,24 @@ public class StatusTransformer {
                 }
                 writer.write("\"");
                 writer.write(" remoteAddr=\"" +
-                        
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "remoteAddr")) + 
"\"");
+                        
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "remoteAddr"))) + 
"\"");
                 writer.write(" virtualHost=\"" +
-                        
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "virtualHost")) + 
"\"");
+                        
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "virtualHost"))) + 
"\"");
 
                 if (showRequest) {
                     writer.write(
-                            " method=\"" + 
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "method")) + "\"");
+                            " method=\"" + 
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "method"))) + "\"");
                     writer.write(" currentUri=\"" +
-                            
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "currentUri")) + 
"\"");
+                            
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "currentUri"))) + 
"\"");
 
                     String queryString = (String) 
mBeanServer.getAttribute(pName, "currentQueryString");
                     if (queryString != null && !queryString.isEmpty()) {
-                        writer.write(" currentQueryString=\"" + 
Escape.htmlElementContent(queryString) + "\"");
+                        writer.write(" currentQueryString=\"" + 
Escape.xml(queryString) + "\"");
                     } else {
                         writer.write(" currentQueryString=\"&#63;\"");
                     }
                     writer.write(" protocol=\"" +
-                            
Escape.htmlElementContent(mBeanServer.getAttribute(pName, "protocol")) + "\"");
+                            
Escape.xml(String.valueOf(mBeanServer.getAttribute(pName, "protocol"))) + "\"");
                 } else {
                     writer.write(" method=\"&#63;\"");
                     writer.write(" currentUri=\"&#63;\"");


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 9.0.x updated: Improve escaping of XML in the manager servlet

Reply via email to