Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core StandardWrapperValve.java

[Remy Maucherat]

>   You can prove that it is not related to JSP by trying *any* URI that
>   includes JavaScript code, and triggers a 404, such as:
>
>
http://localhost:8080/examples/<SCRIPT>alert(document.cookie)</SCRIPT>.xyz
>
>   The fix is to filter the message string included in the response, so
that
>   characters sensitive to HTML are rendered as their corresponding escape
>   sequences (such as translating "<" to "&lt;") so that the browser will
>   render them rather than execute them.

I don't like that patch (sorry).

AFAIK, '<' isn't a safe character in a URL. If encoded, it should be encoded
using %xx.
So here, we should either :
- encode using %xx (instead of using the XML style encoding, because
otherwise after encoding the request will always fail with 404)
- Refuse parsing unsafe characters in the connector, and return a 400 (bad
request); that would probably break some old clients

Remy