On 18.03.20 01:04, James H. H. Lampert wrote:
> On 3/17/20 3:50 PM, Mark Thomas wrote:
>> The XXS might be valid. I assume the tool provided a sample URL you
>> could use to validate the finding. That should point you in the right
>> direction but feel free to ask here if more help is required.
> Near as I can tell, it did but it didn't provide a sample URL.
> Note that *all* I have is a PDF of the report, and I think the URL may
> have gotten mangled by spanning a page-break. I've posted a screenshot
> (with identifying information redacted) of what I'm looking at in the
> report:
> https://www.flickr.com/gp/64159238@N03/02i78o
This issue, according to that screenshot, seems to be on an error.jsp.
The only error.jsp that I could find in Tomcat 7.0.93 and 7.0.100 is in
webapps/examples/jsp/security/protected/error.jsp, i.e. under

Are you sure that this is for tomcat, not for your own application?
Looking at tomcat's jsp, it's as simple as it can be, takes no external
input, and doesn't generate markup as the one you've posted. But just in
case: That examples webapp probably shouldn't be deployed on production
servers anyway (seeing it there, IMHO it'd be a good idea to not package
it in this way in the first place, but that's a different story)



To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to