Fix CVE-2022-34305 XSS in the examples web application · apache/tomcat@1a7e95d · GitHub
Skip to content

Commit

Permalink
Fix CVE-2022-34305 XSS in the examples web application
Browse files Browse the repository at this point in the history
The session attributes are the primary concern but filter the Principal
attributes as well to be on the safe side.
  • Loading branch information
markt-asf committed Jun 23, 2022
1 parent 8dfe1b4 commit 1a7e95d
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
4 changes: 4 additions & 0 deletions webapps/docs/changelog.xml
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,10 @@
Documentation. <bug>62245</bug>: Include <code>contextXsltFile</code>
when discussing options for configuring directory listings. (markt)
</fix>
<fix>
Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
Form authentication example. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
Expand Down
11 changes: 9 additions & 2 deletions webapps/examples/jsp/security/protected/index.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,11 @@ enter it here:
}
type = type.replaceFirst("^java\\.lang\\.", "");
%>
<tr><td><%= name %></td><td><%= value %></td><td><%= type %></td>
<tr>
<td><%= util.HTMLFilter.filter(name) %></td>
<td><%= util.HTMLFilter.filter(String.valueOf(value)) %></td>
<td><%= util.HTMLFilter.filter(type) %></td>
</tr>
<%
}
%>
Expand Down Expand Up @@ -139,7 +143,10 @@ To add some data to the authenticated session, enter it here:
while (names.hasMoreElements()) {
String name = names.nextElement();
%>
<tr><td><%= name %></td><td><%= session.getAttribute(name) %></td>
<tr>
<td><%= util.HTMLFilter.filter(name) %></td>
<td><%= util.HTMLFilter.filter(String.valueOf(session.getAttribute(name))) %></td>
</tr>
<%
}
%>
Expand Down

0 comments on commit 1a7e95d

Please sign in to comment.