sergio-d-lemos commented on PR #1469: URL: https://github.com/apache/activemq/pull/1469#issuecomment-3064223979
> I’d prefer not to add the entire dependency for one or two methods. @mattrpav Sorry, I'm not sure if I updated my pull request correctly. I replaced the code using `StringEscapeUtils` with `c:out` tags which already do the sanitization. This way we don't need to depend on commons-lang3. I tested this change by: 1. Tested the `form:text` tag by trying to inject javascript code into the "send" page via URL parameters: `http://localhost:8161/admin/send.jsp?JMSCorrelationID=a%22%3C\input%3E%3Cscript%3Ealert(%22test%22);%3C/script%3E` 1. Tested the `form:short` tag by using the send page to publish messages to queues called `<script>alert('a');</script>` and `<script>alert('b');</script>`, then opening one of the messages. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org For additional commands, e-mail: gitbox-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
