[
https://issues.apache.org/jira/browse/WW-5636?focusedWorklogId=1025119&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025119
]
ASF GitHub Bot logged work on WW-5636:
--------------------------------------
Author: ASF GitHub Bot
Created on: 14/Jun/26 16:27
Start Date: 14/Jun/26 16:27
Worklog Time Spent: 10m
Work Description: arunmanni-ai commented on PR #1737:
URL: https://github.com/apache/struts/pull/1737#issuecomment-4702354953
Thanks for the thorough review. Updated the title to match the hardening
framing. Noted on reporting suspected security issues to
[email protected] first — will follow that process going forward.
Issue Time Tracking
-------------------
Worklog Id: (was: 1025119)
Time Spent: 20m (was: 10m)
> ServletRedirectResult writes unescaped URL to response body for non-302
> status codes
> ------------------------------------------------------------------------------------
>
> Key: WW-5636
> URL: https://issues.apache.org/jira/browse/WW-5636
> Project: Struts 2
> Issue Type: Bug
> Reporter: Arun Manni
> Priority: Minor
> Fix For: 7.2.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When statusCode is not 302, ServletRedirectResult.sendRedirect() writes the
> redirect URL directly to the response body without HTML encoding. The servlet
> container defaults Content-Type to text/html, which means any HTML characters
> in the URL are rendered unescaped.
> PostbackResult.java (line 108) in the same package already uses
> StringEscapeUtils.escapeHtml4() for the identical pattern, confirming this
> was an oversight.
> This change applies escapeHtml4() to the response body output, matching the
> existing convention in PostbackResult.
> PR: https://github.com/apache/struts/pull/1737
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
