On 18.03.20 01:04, James H. H. Lampert wrote: > On 3/17/20 3:50 PM, Mark Thomas wrote: >> The XXS might be valid. I assume the tool provided a sample URL you >> could use to validate the finding. That should point you in the right >> direction but feel free to ask here if more help is required. > Near as I can tell, it did but it didn't provide a sample URL. > > Note that *all* I have is a PDF of the report, and I think the URL may > have gotten mangled by spanning a page-break. I've posted a screenshot > (with identifying information redacted) of what I'm looking at in the > report: > > https://www.flickr.com/gp/64159238@N03/02i78o > This issue, according to that screenshot, seems to be on an error.jsp. The only error.jsp that I could find in Tomcat 7.0.93 and 7.0.100 is in webapps/examples/jsp/security/protected/error.jsp, i.e. under /webapps/examples
Are you sure that this is for tomcat, not for your own application? Looking at tomcat's jsp, it's as simple as it can be, takes no external input, and doesn't generate markup as the one you've posted. But just in case: That examples webapp probably shouldn't be deployed on production servers anyway (seeing it there, IMHO it'd be a good idea to not package it in this way in the first place, but that's a different story) Cheers, Olaf --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org