This is an automated email from the ASF dual-hosted git repository.
rmaucher pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new a68e78450c Add missing escaping to the dom writer
a68e78450c is described below
commit a68e78450cd11b4a89d3c897eb2721047cf32f17
Author: remm <[email protected]>
AuthorDate: Wed May 27 12:52:26 2026 +0200
Add missing escaping to the dom writer
Coauthored by OpenCode (after review, my initial patch was not enough).
---
java/org/apache/catalina/util/DOMWriter.java | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/catalina/util/DOMWriter.java
b/java/org/apache/catalina/util/DOMWriter.java
index 5e76b542ae..6218dfb4e2 100644
--- a/java/org/apache/catalina/util/DOMWriter.java
+++ b/java/org/apache/catalina/util/DOMWriter.java
@@ -113,10 +113,21 @@ public class DOMWriter {
out.print("<?");
out.print(node.getLocalName());
- String data = node.getNodeValue();
- if (data != null && !data.isEmpty()) {
+ String piData = node.getNodeValue();
+ if (piData != null && !piData.isEmpty()) {
out.print(' ');
- out.print(data);
+ // The only illegal sequence in PI data is ?> which would
+ // terminate the PI early. Break it with a space. PI data
+ // is opaque and must not have entity escaping applied.
+ int start = 0;
+ int end = piData.indexOf("?>");
+ while (end >= 0) {
+ out.print(piData.substring(start, end + 1));
+ out.print(' ');
+ start = end + 1;
+ end = piData.indexOf("?>", start);
+ }
+ out.print(piData.substring(start));
}
out.print("?>");
break;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
