[
https://issues.apache.org/jira/browse/WW-5636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arun Manni updated WW-5636:
---------------------------
External issue URL: https://github.com/apache/struts/pull/1737
Flags: Patch
Description:
When statusCode is not 302, ServletRedirectResult.sendRedirect() writes the
redirect URL directly to the response body without HTML encoding. The servlet
container defaults Content-Type to text/html, which means any HTML characters
in the URL are rendered unescaped.
PostbackResult.java (line 108) in the same package already uses
StringEscapeUtils.escapeHtml4() for the identical pattern, confirming this was
an oversight.
This change applies escapeHtml4() to the response body output, matching the
existing convention in PostbackResult.
PR: https://github.com/apache/struts/pull/1737
Summary: ServletRedirectResult writes unescaped URL to response
body for non-302 status codes (was: bug patch )
> ServletRedirectResult writes unescaped URL to response body for non-302
> status codes
> ------------------------------------------------------------------------------------
>
> Key: WW-5636
> URL: https://issues.apache.org/jira/browse/WW-5636
> Project: Struts 2
> Issue Type: Bug
> Reporter: Arun Manni
> Priority: Major
>
> When statusCode is not 302, ServletRedirectResult.sendRedirect() writes the
> redirect URL directly to the response body without HTML encoding. The servlet
> container defaults Content-Type to text/html, which means any HTML characters
> in the URL are rendered unescaped.
> PostbackResult.java (line 108) in the same package already uses
> StringEscapeUtils.escapeHtml4() for the identical pattern, confirming this
> was an oversight.
> This change applies escapeHtml4() to the response body output, matching the
> existing convention in PostbackResult.
> PR: https://github.com/apache/struts/pull/1737
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
