On 12/03/2024 13:47, Christopher Schultz wrote:
Greg and Mark,
On 3/12/24 05:00, Greg Huber wrote:
On 11/03/2024 18:17, Christopher Schultz wrote:
Mark,
On 3/10/24 08:49, Mark Thomas wrote:
On 10/03/2024 10:50, Greg Huber wrote:
Hello,
Using http://tomcat/manager-app/text/reload?path=/
When I reload an application (in java), I get a reply
OK - Reloaded application at context path [/]
but when the application is not present I get this reply:
FAIL - No context exists named [/]
Is it intentional that the fail shows the ascii code rather than
the slash like on the OK?
Yes.
If the provided context exists then we know that the name is HTML
safe since all valid context names are HTML safe. In this case there
is no escaping.
If the context does not exist then the provided content name may not
be HTML safe (it could be a deliberate XSS attempt) hence it is
escaped.
What is the Content-Type of the response? The URL implies that it's a
text interface, not HTML.
>
> Running it on the browser I get
>
> Content-Type : text/plain;charset=utf-8
Yeah, that's what I was expecting.
I think HTML escaping is not appropriate, here.
Agreed. The challenge is that you don't have the context to determine if
the request originates from the HTMLManagerServlet.
It may be possible to refactor the escaping so it happens in
HTMLManagerServlet instead.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
