Is this screaming XSS attack?
Since javadocs in getRequestURI() say ... The web container does not
decode this String
-Tim
[EMAIL PROTECTED] wrote:
Author: markt
Date: Sat Jan 13 18:45:48 2007
New Revision: 496022
URL: http://svn.apache.org/viewvc?view=revrev=496022
Modified:
Tim Funk wrote:
Is this screaming XSS attack?
Since javadocs in getRequestURI() say ... The web container does not
decode this String
It would be if it wasn't for line 177 of o.a.c.valves.ErrorReportValve
which does:
String message = RequestUtil.filter(response.getMessage());
Mark
Sweet - I thought that was the case. [But wanted to make sure.]
-Tim
Mark Thomas wrote:
Tim Funk wrote:
Is this screaming XSS attack?
Since javadocs in getRequestURI() say ... The web container does not
decode this String
It would be if it wasn't for line 177 of
Author: markt
Date: Sat Jan 13 18:45:48 2007
New Revision: 496022
URL: http://svn.apache.org/viewvc?view=revrev=496022
Log:
Fix bug 41327. Show full request URI for a 404. Patch provided by Vijay.
Modified:
tomcat/container/tc5.5.x/webapps/docs/changelog.xml