On Wed, Jul 22, 2009 at 2:37 PM, Mark Thomas<ma...@apache.org> wrote: > You'll need to provide more details. Nothing stands out from the security > pages. > > Please provide step by step instructions to reproduce from a clean Tomcat > installation. > > Please also note that potential security vulnerabilities should be reported > privately (see http://tomcat.apache.org/security.html), rather than to a > public > list. Since you have posted to a public list, there is no point continuing in > private.
I don't think the host is used in HTML generated by Tomcat. OTOH, like the other strings returned by the API, ServletRequest.getServerName is not XSS filtered. Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
