[jira] [Updated] (WW-5636) ServletRedirectResult writes unescaped URL to response body for non-302 status codes

Lukasz Lenart (Jira) Sun, 14 Jun 2026 09:13:11 -0700


     [ 
https://issues.apache.org/jira/browse/WW-5636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Lukasz Lenart updated WW-5636:
------------------------------
    Fix Version/s: 7.2.0

> ServletRedirectResult writes unescaped URL to response body for non-302 
> status codes
> ------------------------------------------------------------------------------------
>
>                 Key: WW-5636
>                 URL: https://issues.apache.org/jira/browse/WW-5636
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Arun Manni
>            Priority: Major
>             Fix For: 7.2.0
>
>
> When statusCode is not 302, ServletRedirectResult.sendRedirect() writes the 
> redirect URL directly to the response body without HTML encoding. The servlet 
> container defaults Content-Type to text/html, which means any HTML characters 
> in the URL are rendered unescaped.
> PostbackResult.java (line 108) in the same package already uses 
> StringEscapeUtils.escapeHtml4() for the identical pattern, confirming this 
> was an oversight.
> This change applies escapeHtml4() to the response body output, matching the 
> existing convention in PostbackResult.
> PR: https://github.com/apache/struts/pull/1737



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (WW-5636) ServletRedirectResult writes unescaped URL to response body for non-302 status codes

Reply via email to