cortlepp commented on PR #1242:
URL: 
https://github.com/apache/axis-axis2-java-core/pull/1242#issuecomment-4901074528

   Hey,
   thanks for looking into this, but I don't think this is valid. First of all, 
the operator of the axis instance chooses the server name, that is not in our 
threat model (since the administrator can obviously change the behavior of 
axis, it's kind of their job). Secondly, even if they wanted to deploy the 
server to a malicious host name, that would still have to be a valid host name 
in order for any of this to work, and you just can't put a script tag inside of 
a host name (see the relevant RFCs for details).
   
   I'd agree though that it would look nicer (and be more obviously correct) if 
`buildOpenApiUrl` would return a `URI` instead of a `String` (and we would pass 
that around right until we embed it into the html). If you want to improve the 
clarity of the code in that way I'd be open to reviewing such an MR.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to