Re: svn commit: r496022 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/servlet/JspServlet.java

[Mark Thomas]

Tim Funk wrote:
> Is this screaming XSS attack?
> 
> Since javadocs in getRequestURI() say ... "The web container does not
> decode this String"

It would be if it wasn't for line 177 of o.a.c.valves.ErrorReportValve
which does:
String message = RequestUtil.filter(response.getMessage());

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]