Maxime Devos created XALANJ-2630:
------------------------------------
Summary: DocumentCache.getStatistics() seems to forget encoding
URIs
Key: XALANJ-2630
URL: https://issues.apache.org/jira/browse/XALANJ-2630
Project: XalanJ2
Issue Type: Bug
Security Level: No security risk; visible to anyone (Ordinary problems in
Xalan projects. Anybody can view the issue.)
Components: XSLTC
Affects Versions: 2.7.2
Reporter: Maxime Devos
Assignee: Gary D. Gregory
While looking into packaging xalan in Guix
([https://issues.guix.gnu.org/32947#30),] I noticed some code that doesn't seem
quite right. In Document.getStatistics():
out.println("<h2>DOM cache statistics</h2><center><table border=\"2\">"+
"<tr><td><b>Document URI</b></td>"+ [...])
an URL is put in the 'href' field. But the URL doesn't seem to be escaped
anywhere. What if the URL is, say,
"https://foo.bar/index.php?this=that&foo;car=bar";? Wouldn't that make the XML
malformed? I could easily have missed something here though ...
(TBC, I did not encounter this in the wild, I'm just looking at source code)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
