Unescaped text messages in message detail
-----------------------------------------
Key: AMQ-1534
URL: https://issues.apache.org/activemq/browse/AMQ-1534
Project: ActiveMQ
Issue Type: Bug
Affects Versions: 5.0.0
Environment: Browser
Reporter: Elliotte Rusty Harold
Priority: Critical
The new HTTP based queue view is very useful. However it has one really
annoying bug that cost me some hours of debugging. Send a TextMessage to the
queue containing a typical HTML or XML document such as
<result></result>
Then look at that message in the web browser and look at the message detail to
see the text of the message. The text appears to be blank, especially if the
message only contains tags and white space as was the case for me. Even if it
isn't completely blank, the tags will be missing.
The problem is that the text of the message is displayed raw and added to the
HTML. This could even be a vector for XSS attacks since no escaping is
performed.
Before displaying the text it should be escaped. That is, & should be converted
to & and < to <. That should fix the critical problems.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
